1. There is no such thing as a "pending" ban or Steam admin. Anyone threatening your account is a scammer trying to scare you. Read more.

SECURITY ISSUES [] PNG VIRUSES

Discussion in 'SteamRep API Discussion' started by Fifty Shades of VACation, Mar 21, 2015.

  1. Fifty Shades of VACation

    Fifty Shades of VACation New User

    Messages:
    3
    Steam:
    STEAM_0:1:67498815
    Hello , I know im new but I submitted my first Report (yaaay :D) and saw that you have to make some screenshots and the Admins that are proving this have to download it. I think you can get a virus by downloading PNG Files.


    I would say that you'll have to update something in the API that is disabling or deleting the EXIF Files from the PNGs,JPGs cause there you can inject viruses (especially in the EXIF Tags.).




    Ok thats it :D Byyee
    Fifty Shades of VACation, Mar 21, 2015
    #1
  2. SilentReaper(SR)

    SilentReaper(SR) Retired Staff

    Messages:
    11,991
    SteamRep Admin:
    STEAM_0:0:89705646
    eh? the API has nothing to do with images or w/e. Think you are misunderstanding a few things:

    What is the API: API is a Application Programming Interface, which websites and gameservers can use to check ID64's on SteamRep to get a simple text answer that can be processed by said website/gameserver.

    The running security "issue" of PNG containing malicious code is a whole different beast. It means that a website is running a Javascript that is DECODING a PNG file's metadata to get code from it to run within a browser. As that attack vector is not possible via our site, I can't find this relevant, for what does it need:
    1. Loading of Javascript script via the webpage visited
    2. Javascript loads the PNG image outside of the viewing area of the browser
    3. Javascript then decodes the PNG Metadata/exif information, and starts running that.

    #1 requires that the attacker has control over the webpage on what is loaded via that webpage. As SteamRep is in control of what javascripts are loaded in this site, even if the PNG is containing MetaData/EXIF information, it cannot be loaded, for the Javascript to decode it isn't running here.

    The issue does not reside on SteamRep. Its a issue with unknown sites you may visit. The best solution to prevent this is the browser Plugin named "NoScript".

    Stripping of Metadata/EXIF information that is in a PNG, JPG or w/e image file (a lot of different image formats have such metadata), is not really needed here, for almost all are screenshots from the computer, which won't add MetaData/EXIF data to them. Even in the small chance if the image was containing such, they cannot push the javascript decoder script to our users.
    SilentReaper(SR), Mar 21, 2015
    #2