Black Hat: A Photo That Can Steal Your Facebook Account
Robert McMillan writes on CIO.com:
At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they've developed that could steal online credentials from users of popular Web sites such as Facebook, eBay and Google.More here.
The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.
"We've been able to come up with a Java applet that for all intents and purposes is an image," said John Heasman, vice president of research at NGS Software.
They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.