Steganography is the art and science of embedding secret messages in a cover message so that no one, apart from the sender and intended recipient, suspects the existence of the message.
The most common example is to hide a message in an image file without compromising how the image looks. Most people use the photos to share a fantastic moment or two and don’t know they can contain a secret message.
What could be the use case?
- Someone can hack your phone and embed your text messages in the pictures you take and share on Instagram.
- A not-so-happy employee can post a picture on your blog with a secret message to share some trade secrets with your competitors.
- Another person can embed an exploit in a PNG ad image; JavaScript code would parse the PNG image, extract the malicious code, and redirect the user to the exploit kit landing page.
- Steganography is also a well-known method for exchanging information between spies.
Even if it sounds like science fiction, this is a viable threat against your systems and you.
Steganography Protector API
I have created an API (as a Proof of concept) that could discover a secret message hidden in any image file.
The end-point is here (a new one after Heroku shutdown):
https://web-production-32ac.up.railway.app/
It accepts POST requests only. The input is a valid URI of an image.
Examples
Request
import requests
import json
url = 'https://web-production-32ac.up.railway.app/'
s_url = "https://1gr.cz/o/newspaper/images/vyber-mfd-3.png"
stego_obj = {'rstego': s_url}
r = requests.post(url, json = stego_obj)
json_output = json.dumps(r.json(), indent=2)
print(json_output)
Response
{
"imgurl": "https://1gr.cz/o/newspaper/images/vyber-mfd-3.png",
"message": "",
"response": "Stego: Roar -> the picture is Safe.",
"status": "safe"
}
Practical use
You could read all of your images from your blog via the API to check whether they contain a secret message. You can also explore hidden traces in your last Instagram image.
If you are looking for a picture with a secret message inside – why don’t you test this one:
Request
It’s the same as the example above but with a different picture. Did you see the difference?
import requests
import json
url = 'https://web-production-32ac.up.railway.app/'
s_url = "https://talkweb.eu/wp-content/uploads/2021/01/secret.png"
stego_obj = {'rstego': s_url}
r = requests.post(url, json = stego_obj)
json_output = json.dumps(r.json(), indent=2)
print(json_output)
A favor to ask
I am hosting this POC API with Railway. Please do not create many requests because this could exhaust my budget and prevent people from accessing it. If you want a production use, feel free to contact me.
Hi – is this endpoint still active? I’d love to use it, but it seems to be down.
Try this one innstead: https://stegoapi.herokuapp.com/