Malicious SVG images sent over Facebook Messenger are being used to deliver Locky ransomware.
An SVG file can contain a <script> tag, which contains executable JavaScript as CDATA. If it’s an image on a Web page, the JavaScript can run in the browser. This is a potential XSS weakness, if users can submit images to a site.
The attack in this case takes the user to a fake YouTube website that asks the user to “install a codec.” The “codec” is the ransomware loader.
This raises a lot of questions in my mind, and I don’t have many answers. Today’s browsers have protections against cross-site scripting, because it’s so common a problem. Messaging applications, such as Messenger, WhatsApp, and Signal, may have similar issues but less well-developed protections.
If I got an “image” in a messenger application and it took my browser to a website, I’d consider that serious misbehavior and abort whatever I was doing. Of course, a lot of people will just download whatever they’re asked to download.
Allowing JavaScript within SVG sounds like a “Wouldn’t that be neat” idea that someone threw in without much thought about the security consequences. It makes SVG inherently riskier than other image formats.
JavaScript risk in SVG images
Malicious SVG images sent over Facebook Messenger are being used to deliver Locky ransomware.
An SVG file can contain a
<script>tag, which contains executable JavaScript as CDATA. If it’s an image on a Web page, the JavaScript can run in the browser. This is a potential XSS weakness, if users can submit images to a site.The attack in this case takes the user to a fake YouTube website that asks the user to “install a codec.” The “codec” is the ransomware loader.
This raises a lot of questions in my mind, and I don’t have many answers. Today’s browsers have protections against cross-site scripting, because it’s so common a problem. Messaging applications, such as Messenger, WhatsApp, and Signal, may have similar issues but less well-developed protections.
If I got an “image” in a messenger application and it took my browser to a website, I’d consider that serious misbehavior and abort whatever I was doing. Of course, a lot of people will just download whatever they’re asked to download.
Allowing JavaScript within SVG sounds like a “Wouldn’t that be neat” idea that someone threw in without much thought about the security consequences. It makes SVG inherently riskier than other image formats.
Share this:
Related