Exif Smuggling (2025)
rolph
76 points
24 comments
June 09, 2026
Related Discussions
Found 5 related stories in 111.3ms across 10,002 title embeddings via pgvector HNSW
- A 0-click exploit chain for the Pixel 10 happyhardcore · 353 pts · May 15, 2026 · 47% similar
- TPM-Sniffing LUKS Keys on an Embedded Linux Device [CVE-2026-0714] Tiberium · 19 pts · March 01, 2026 · 46% similar
- FFmpeg developer calls out OxideAV for AI license laundering of his code dmitrygr · 26 pts · May 06, 2026 · 45% similar
- Reverse engineering Android malware from popular Chinese projectors 3abiton · 19 pts · May 18, 2026 · 45% similar
- Phyphox – Physical Experiments Using a Smartphone _Microft · 203 pts · April 12, 2026 · 45% similar
Discussion Highlights (8 comments)
ale42
Weren't similar techniques already used years ago by malvertizers to hide malicious code into images published for ads so it wouldn't be detected? (although it might have been more like steganography)
porphyra
Mildly annoying how almost everything strips out EXIF data nowadays, in part due to security concerns like this, and then I can't find out what camera, lens, and settings were used to take photos.
mkoryak
I hid my toy vibe coded site's code inside the alpha channel of its logo. https://dogself.com I probably should have minified it too...
BoppreH
Oh, that's clever. It's not just hiding the payload in the Exif, it's hiding the fact that the payload came from the network at all, by reading it from the browser cache (presumably after embedding the image into a page the user visited). So you have a package that doesn't include (directly) malicious code or make network calls, yet it can still run malicious code from the network. This is much better than simple obfuscation because you can vary the payload, like a command-and-control server.
Omni5cience
Why is this a link to a random fork that has no commits, rather than the original?
Grom_PE
It isn't necessary to use Exif to embed arbitrary data inside an image. Could as well use PNG extra chunk, JFIF app marker, or simply append data to the end of the file. It would be more interesting to devise a method that survives all extra data stripping and re-encoding, perhaps taking advantage of deterministic encoders, assuming they don't randomize pixel data on purpose. In other words: turning the image data stream itself into a polyglot.
_def
Many many years ago I saw someone using an image hoster which only checked mime type, and not filename. That's the important bit after all right? Uploading an image as image.php worked, and if the exif comment contained php code, it ran.
motohagiography
is this within the category of normal steganographic encodings and packers, or does it have the ability to execute itself? you can encode anything as anything. I am interpreting it's a slightly interesting tool to fool signature based detection, but isn't something like running a weird machine in an external decoder.