What’s in a picture? Well, for security researcher David Buchanan, it’s the entire works of Shakespeare.
On Tuesday, Buchanan tweeted a tiny image of Shakespeare with the words UNZIP ME written on it. Turns out, he managed to supersede the 280-word limit by finding a way to store an entire ZIP file containing all of Shakespeare’s words within the image.
Buchanan discovered that although Twitter strips most metadata from images, he was able to upload an image as a polyglot file – meaning that it is written in multiple programming languages, allowing it to be valid as a .jpg, .rar, or .zip archive.
Assuming this all works out, the image in this tweet is also a valid ZIP archive, containing a multipart RAR archive, containing the complete works of Shakespeare.
This technique also survives twitter’s thumbnailer 😛 pic.twitter.com/P0Owq9abRC
— Dаvіd Вucһаnаn (@David3141593) October 29, 2018
Buchanan then decided to write his own script (not the Romeo and Juliet kind), which allowed him to insert a “big blob of ICC metadata,” he said in a Twitter DM. Turns out this type of metadata can be up to 16MB in size.
“I was just testing to see how much raw data I could cram into a tweet and then a while later I had the idea to embed a ZIP file,” Buchanan added.
Twitter users went on to confirm that the experiment worked, and that by following Buchanan’s instructions on how to pull data from the file (see below), you do indeed end up with the bard’s complete works on your tech device.
Good stuff. pic.twitter.com/BGC5cXcwK2
— Joshua (@josshings) October 31, 2018
To anyone having trouble opening this;
Right Click the image and copy image location, open it in new tab and save the image.
If windows says it is not a valid zip file (like it did for me) try using something like 7zip instead of windows explorer, and it should work. pic.twitter.com/gE221keNYK
— DeathChaos (@DeathChaos25) October 30, 2018
This discovery opens up a world of possibilities for file sharing via Twitter, but of course with the good comes the bad. If files can contain over 884,000 words written by one of history’s greatest writers, then they can also contain malicious software, or malware.
Buchanan said that although this has already been possible through the use of other steganography techniques (steganography is the official term for embedding secret messages within ordinary messages), this new method “allows you to pack in way more data.”
He reported the technique to Twitter, but they weren’t particularly bothered by it. Let’s hope that the fiddly and lengthy process required to pull this off will deter those with nefarious intentions.