A picture may be worth a thousand logins
Hackers will reveal a new way to steal user accounts with pictures later this week, at the Black Hat security conference in Las Vegas. The method uses hybrid files that are read as photos by some programs and as code by others These hybrid files can have code, such as Java, embedded in them, and then be uploaded to websites such as Facebook, MySpace, or eBay where they can skirt security measures to do harm.
John Heasman, vice president of research at Next Generation Security Software, claims to have made "Java applets that for all intents and purposes is an image," and calls them GIFAR files, a combination of GIF, an image format, and JAR, an archive of Java code. Heasman says users would have be logged into the website in order for the malicious code to work and that "the attack is going to work best wherever you leave yourself logged in for long periods of time" — just about any social network, in other words.
To defend against attacks, researchers notes that websites could implement filtering tools to sniff out suspicious files. Sun Microsystems, makers of Java, could also update the Java runtime environment to prevent attacks. Researchers are expecting Sun to release a fix soon after the Black Hat conference.