So you’ve stopped going to “those” types of websites that could potentially fill your PC with all kinds of malicious malware, viruses and back door trojans — nice move. You also keep your virus definitions up-to-date and run regular scans of your entire machine. Your backups couldn’t be more religious, and you archive everything to DVD on a weekly basis. You’re safe, right? Maybe not…

There’s a new kind of security exploit that involves a new image format called a “GIFAR”, where users who simply LOOK at the image, will fall prey to its nefarious objectives.

Computerworld: Here’s how an attack would work: A bad guy would create a profile on a popular Web site — Facebook, for example — and upload his GIFAR as an image on the site. Then he’d trick a victim into visiting a malicious Web site, which would tell the victim’s browser to go open the GIFAR. At that point, the applet would run in the browser, providing the hacker access to the victim’s Facebook account.

The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or Amazon.com, they say.

So are we now restricted from visiting websites that contain images? Well, not quite: no one’s actually using this hack yet. Currently, it’s mostly theoretical: GIFAR has been created by a team of security experts, to demonstrate the vulnerability of current browsers, and perhaps to question the computer industry’s move away from desktop software and toward Web applications.

But given the upcoming Black Hat conference, mum won’t be the word for long. A planned conference discussion entitled, “The Internet Is Broken will detail the vulnerability in detail — which means perhaps we’re only a few photo views away from:

GIFAR The Scream

[Via AlleyInsider] [Via Computerworld]

Post to Twitter

Related Posts

RSS feed | Trackback URI

Comments »

No comments yet.

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

Trackback responses to this post