Steganography is the art and science of embedding secret messages in a cover message so that no one, apart from the sender and intended recipient, suspects the existence of the message. 

The most common example is to hide a message in an image file without compromising how the image looks. Most people use the photos to share a fantastic moment or two and don’t know they can contain a secret message.

What could be the use case?

  • Someone can hack your phone and embed your text messages in the pictures you take and share on Instagram. 
  • A not-so-happy employee can post a picture on your blog with a secret message to share some trade secrets with your competitors. 
  • Another person can embed an exploit in a PNG ad image; JavaScript code would parse the PNG image, extract the malicious code, and redirect the user to the exploit kit landing page.
  • Steganography is also a well-known method for exchanging information between spies. 

Even if it sounds like science fiction, this is a viable threat against your systems and you.

Steganography Protector API

I have created an API (as a Proof of concept) that could discover a secret message hidden in any image file.  

The end-point is here (a new one after Heroku shutdown):

https://web-production-32ac.up.railway.app/

It accepts POST requests only. The input is a valid URI of an image.

Examples

Request

 import requests
 import json

 url = 'https://web-production-32ac.up.railway.app/'
 s_url = "https://1gr.cz/o/newspaper/images/vyber-mfd-3.png"
 stego_obj = {'rstego': s_url}
 r = requests.post(url, json = stego_obj)
 json_output = json.dumps(r.json(), indent=2)

 print(json_output)

Response

 {
  "imgurl": "https://1gr.cz/o/newspaper/images/vyber-mfd-3.png",
  "message": "",
  "response": "Stego: Roar -> the picture is Safe.",
  "status": "safe"
}

Practical use

You could read all of your images from your blog via the API to check whether they contain a secret message. You can also explore hidden traces in your last Instagram image.

If you are looking for a picture with a secret message inside – why don’t you test this one:

Request

It’s the same as the example above but with a different picture. Did you see the difference?

 import requests
 import json

 url = 'https://web-production-32ac.up.railway.app/'
 s_url = "https://talkweb.eu/wp-content/uploads/2021/01/secret.png"
 stego_obj = {'rstego': s_url}
 r = requests.post(url, json = stego_obj)
 json_output = json.dumps(r.json(), indent=2)

 print(json_output)

A favor to ask

I am hosting this POC API with Railway. Please do not create many requests because this could exhaust my budget and prevent people from accessing it. If you want a production use, feel free to contact me.

2 thoughts on “Steganography API at your service. (upd)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.