JavaScript risk in SVG images

Malicious SVG images sent over Facebook Messenger are being used to deliver Locky ransomware.

An SVG file can contain a <script> tag, which contains executable JavaScript as CDATA. If it’s an image on a Web page, the JavaScript can run in the browser. This is a potential XSS weakness, if users can submit images to a site.

The attack in this case takes the user to a fake YouTube website that asks the user to “install a codec.” The “codec” is the ransomware loader.

This raises a lot of questions in my mind, and I don’t have many answers. Today’s browsers have protections against cross-site scripting, because it’s so common a problem. Messaging applications, such as Messenger, WhatsApp, and Signal, may have similar issues but less well-developed protections.

If I got an “image” in a messenger application and it took my browser to a website, I’d consider that serious misbehavior and abort whatever I was doing. Of course, a lot of people will just download whatever they’re asked to download.

Allowing JavaScript within SVG sounds like a “Wouldn’t that be neat” idea that someone threw in without much thought about the security consequences. It makes SVG inherently riskier than other image formats.