The Problem

Hackers are embedding malicious code within compromised, uploaded images on trusted Google sites – weaponizing websites and staying under the radar.  Malware that uses Exchangeable Image File Format (EXIF) data to hide its code has migrated to a new platform: GoogleUserContent sites, such as Google+ and blogger forums.

More specifically, the code is injected into the technical EXIF metadata within the website images; EXIF headers are generated automatically by digital cameras to record camera information in the headers of JPEG and TIFF files. Hackers can access EXIF data for existing images by capitalizing on any vulnerabilities found within a website that exposes its coding. From there, they can inject malicious code.

This type of malware infection is possible on any site with downloadable images, not just sites that were generated within the GoogleUserContent system. However, the evolution of the technique to Google is a more severe problem, for two reasons: One, Google images are widely downloaded and used (trusted); and two, it’s harder to report any exposed malware infections.

I’m sorry… what does all that technical jargon mean to me?

Have you ever done a Google image search to find a picture to include in an email or on a blog post or put into an Evite or post to Facebook? Sure, we all have.  You enter your search, let’s say for… anchovy pizza. Approximately a gazillion pictures of pizza appear, you find the one you like and it happens to be located on a Google+ site or a blog…but you don’t check for that. You just right click, hit “Save Image As” and save it to your desktop… it could (and we emphasize could) contain malware.

To try to avoid this happening, ensure that a website is secured (your browser should tell you in the address bar) but assume that no file or image is safe. Don’t download images from unknown sources. Keep up-to-date with security patches, use strong passwords and a firewall, and lastly periodically review the integrity of your files.

The Good News

This technique is hard to produce on a mass level – widespread website infections would require automation and the specific exploitation of vulnerabilities on a specific site.  Google doesn’t mess around, so we’re hopeful they will make the fix quickly and effectively with better anti-malware techniques and content analysis tools.