Malicious SVG images sent over Facebook Messenger are being used to deliver Locky ransomware.
An SVG file can contain a <script> tag, which contains executable JavaScript as CDATA. If it’s an image on a Web page, the JavaScript can run in the browser. This is a potential XSS weakness, if users can submit images to a site.
The attack in this case takes the user to a fake YouTube website that asks the user to “install a codec.” The “codec” is the ransomware loader.
This raises a lot of questions in my mind, and I don’t have many answers. Today’s browsers have protections against cross-site scripting, because it’s so common a problem. Messaging applications, such as Messenger, WhatsApp, and Signal, may have similar issues but less well-developed protections.
If I got an “image” in a messenger application and it took my browser to a website, I’d consider that serious misbehavior and abort whatever I was doing. Of course, a lot of people will just download whatever they’re asked to download.
Allowing JavaScript within SVG sounds like a “Wouldn’t that be neat” idea that someone threw in without much thought about the security consequences. It makes SVG inherently riskier than other image formats.
Like this:
Like Loading...
Related
JavaScript risk in SVG images
Malicious SVG images sent over Facebook Messenger are being used to deliver Locky ransomware.
An SVG file can contain a
<script>tag, which contains executable JavaScript as CDATA. If it’s an image on a Web page, the JavaScript can run in the browser. This is a potential XSS weakness, if users can submit images to a site.The attack in this case takes the user to a fake YouTube website that asks the user to “install a codec.” The “codec” is the ransomware loader.
This raises a lot of questions in my mind, and I don’t have many answers. Today’s browsers have protections against cross-site scripting, because it’s so common a problem. Messaging applications, such as Messenger, WhatsApp, and Signal, may have similar issues but less well-developed protections.
If I got an “image” in a messenger application and it took my browser to a website, I’d consider that serious misbehavior and abort whatever I was doing. Of course, a lot of people will just download whatever they’re asked to download.
Allowing JavaScript within SVG sounds like a “Wouldn’t that be neat” idea that someone threw in without much thought about the security consequences. It makes SVG inherently riskier than other image formats.
Share this:
Like this:
Related