
Hackers hide credit card stealing script in favicon metadata - interweb
https://www.bleepingcomputer.com/news/security/hackers-hide-credit-card-stealing-scripts-in-favicon-exif-data/
======
IMAYousaf
I'm not sure about others, but to me this is quite fascinating and clever. I'm
a decent engineer who can build and maintain codebases, but I've never been
well versed in the depths of knowledge needed to do things like this.

In a hypothetical scenario, what would I need to learn to be able to pull
something like this off, from conceiving of it to actually executing it?

~~~
Shared404
IANA expert, but...

As far as conceiving the attack, you would just need to "think outside the
box", as much as I hate that expression. These attacks are derived from
someone thinking "Huh, I wonder if this would work" about some crazy idea, and
then trying it out.

As far as execution, if I were running this attack I would probably set up a
site like [1] (No endorsement, this is just the first thing that popped up in
a search). I would take peoples pictures, spit out their favicon, along with
the JS embedded in the exif data. They would then put it on their site, and
wind up serving it to their customers.

[1] [https://www.favicon-generator.org/](https://www.favicon-generator.org/)

edit: forgot to actually link the site.

~~~
IMAYousaf
Appreciate it. You're quite right about thinking outside of the box. I guess I
need a better baseline of understanding to be able to do that better in this
case.

The entry point of the attack vector is interesting though. I wouldn't have
considered a third-party service "innocuously" causing the problem as I was
trying to think of a sexier direct exploit into the website's system.

~~~
Shared404
Glad to be of service. If you want to learn more about security hacking, check
out hackthissite.org , and I would be happy to recommend some more things to
check out if you're interested.

Indeed. Honestly, I only realized it because I saw that site when I looked up
favicon. Otherwise, I would have been doing the same thing.

~~~
IMAYousaf
Appreciate it. Will take all the resources you got.

~~~
Shared404
Sorry, I just saw this.

Disclaimer: I'm not particularly good at this, so whatever comments I make are
well intentioned but may be of varying accuracy.

...

Online sources: * OWASP.org is a good place to find info. If you look
something up, there's a good chance you will find it here.

* [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) Thanks to redis_mic for this one, I didn't know it existed until today.

* overthewire.org Similar to HTS, but you don't need an account. The subject matter covered is also slightly different.

* [https://0x00sec.org/](https://0x00sec.org/) A forum dedicated to security. There's a lot of script kiddies, but also some gold.

* [https://www.hackerone.com/](https://www.hackerone.com/) What better way to learn then practice on live targets? That being said, I would do some of the others first.

...

I do a lot of learning through reading, so books:

* Network Security Assessment by Chris McNab. I have second edition, which is a good and instructive read, but quite outdated.

* Real-World Bug Hunting by Peter Yaworski. Web security 101. Good read, and fairly useful.

* Advanced Penetration Testing by Wil Allsop. Outdated, but interesting. You will never use flash again after reading this.

* Social Engineering, The Science of Human Hacking by Christopher Hadnagy. This is a very interesting read. Also, one of the few that can't go out of date.

...

This should be enough to get you started. There's a couple more books I can
think of, but they tend to be more specialized into certain fields of security
and less approachable/generally applicable. If you want these recommendations
as well, feel free to email me, my email's in my bio.

~~~
IMAYousaf
Thank you so much!

