When is a ‘Thank you’ not a ‘Thank you’? When it’s a sneaky bit of code that’s been hidden inside a ‘Thank You’ image that somebody posted in the comments section of a product page! The guilty secret hidden inside this particular piece of code was designed to let hackers bypass security controls and steal the personal identifying information of online shoppers, which could have meant big trouble for them and the company.
The page in question belongs to a global retailer. User communities are often a great source of unbiased advice from fellow enthusiasts, which was why a Nikon camera owner was posting there. They were looking for the ideal 50mm lens and asked for a recommendation. They offered thanks in advance to whoever might take the trouble to respond, and even left a little image that said, “Thank you,” too, and to the naked eye it looked fine.
The comment and image stayed on the site for three years(!), but when the company started using the continuous web threat management solution from Reflectiz, a leading web security firm, it detected something troubling within this innocent-looking graphic during a routine monitoring scan. In this article, we give a broad overview of what happened, but if you’d prefer a deeper explanation, along with more details on how you can protect your own comments pages, you can download the full, in-depth case study here.
One of the best things about the web is the fact that you can easily share images, but as a human looking at hundreds of them every day, it’s easy to forget that each one is made up of code, just like any other digital asset on a webpage. That being the case, malicious actors often try to hide their own code within them, which brings us to the practice of steganography. This is the term for hiding one piece of information inside another. It isn’t the same as cryptography, which turns messages into gibberish so they can’t be understood. Instead, steganography hides data in plain sight, in this case, inside an image.
You may be aware that computer monitors display images using a mosaic of dots called pixels and that each pixel can emit a mixture of red, green, and blue light. The strength of each color in one of these RGB pixels is determined by a value between 0 and 255, so 255,0,0 gives us red, 0,255,0 gives us green, and so on.
255,0,0 is the strongest red that the screen can display, and while 254,0,0 is slightly less strong, it would look exactly the same to the human eye. By making lots of these small alterations to the values of selected pixels, malicious actors can hide code in plain sight. By changing enough of them, they can create a sequence of values that a computer can read as code, and in the case of the one posted in the photography retailer’s comments section, the altered image contained hidden instructions and the address of a compromised domain. It was a surprise to find that the JavaScript on the page was using the hidden information to communicate with it.
The big problem for anyone operating an e-commerce website is that malicious actors are always looking for opportunities to steal customer PII and payment card details, and altering image files is only one of many possible methods they use. Legislators in a growing number of territories, as well as rule makers in areas like the payment card industry, have responded by implementing detailed regulatory frameworks that impose stringent security requirements on providers along with big fines if they fail.
GDPR requires anybody selling to European Union customers to follow its large and detailed framework. Anytime an e-commerce retailer succumbs to steganography or any other kind of attack that compromises customer information, it can attract fines in the millions of dollars, trigger class action lawsuits, and create bad publicity that leads to reputational damage. That’s why it’s so crucial to understand how to defend your website from such attacks, which the full case study explains.
The case study goes into depth on how this threat was uncovered and controlled, but the short explanation is that the platform’s monitoring technology detected suspicious activity in a web component, then cross referenced certain details with its extensive threat database.
The system routinely identifies and blocks any third-party web components that track user activity without their permission. It detects which third-party components get hold of users’ geo-location, camera, and microphone permissions without their consent and it maps all web components that can access sensitive information.
In this case, human security specialists at Reflectiz alerted the company to the vulnerability, gave its security staff clear mitigation steps, and investigated the suspicious code to understand how the attackers managed to put it there. You can read about their findings here, in the full case study, as well as learn what security steps to prioritize in order to avoid the same thing happening to your own comments pages.