Evil GIFs: Partial Same Origin Bypass with Hybrid Files

Many web sites allow users to upload different types of files, in particular GIF and other image files. During a recent webinar to promote the upcoming Black Hat briefings in Las Vegas, a group of hackers announced the creation of a hybrid file that can potentially bypass a browser’s same origin policy. They created a GIF file that also happens to be a JAR file ( a “GIFAR” file). Once uploaded onto a web site, and assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else’s web server.

Details were not provided, since the hackers claim that Sun is still working on a patch. For more on hybrid (image) files as attack vectors, go to minute 41:23 of the webinar.

tags: ,

Get the O’Reilly Data Newsletter

Stay informed. Receive weekly insight from industry insiders.

Get the O’Reilly Web Ops and Performance Newsletter

Weekly insight from industry insiders. Plus exclusive content and offers.

Get the O’Reilly Programming Newsletter

Weekly insight from industry insiders. Plus exclusive content and offers.

Get the O’Reilly Hardware Newsletter

Get weekly insight and knowledge on how to design, prototype, manufacture, and market great connected devices.

Get Four Short Links in Your Inbox

Sign up to receive Nat’s eclectic collection of curated links every weekday.

Get the O’Reilly Design Newsletter

Stay informed. Receive weekly insight from industry insiders.

Get the O’Reilly Web Platform Newsletter

Stay informed. Receive weekly insight from industry insiders—plus exclusive content and offers.

  • It would really be great if you could put a transcript in the post as opposed to visiting a Webinar.

    Text is easier to refer to and reference than audio.

    This could have had extreme consequences such as: malicious users uploading hybrid Logos to forums, blogs and social bookmarking member sites.

    The most extreme example would be infecting sites like Flickr or Digg. Or even creating blogs on sites like Blogspot for the sole purpose of uploading those images.

  • It’s unclear if this is a client-side or server-side exploit – you mention the same origin policy which suggests that the exploit is an applet that runs in a browser, but then you mention that the server needs a JVM which would mean code gets executed on the server. It seems more likely that this is a browser exploit as opposed to a code-executing-on-the-server exploit.