this post was submitted on 09 Aug 2025
69 points (96.0% liked)

Privacy

3507 readers
191 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 9 months ago
MODERATORS
fxomt@lemmy.dbzer0.com
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
fxomt@piefed.social
69
Adult sites are stashing exploit code inside racy .svg files (arstechnica.com)
submitted 6 days ago by sabreW4K3@lazysoci.al to c/privacy@lemmy.dbzer0.com
25 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] lambalicious@lemmy.sdf.org 4 points 5 days ago (1 children)

Only an idiot parses an image file as executable code.

[–] CeeBee_Eh@lemmy.world 5 points 5 days ago (1 children)

I can't tell if you're being serious or just making a joke.

[–] lambalicious@lemmy.sdf.org 4 points 4 days ago (1 children)

It works both ways, which ultimately is the issue.

[–] CeeBee_Eh@lemmy.world 2 points 4 days ago (1 children)

A well created malicious exploit will look like an image (or any other file) to a user, but can execute arbitrary code.

That's why I thought maybe you were just making a joke.

[–] lambalicious@lemmy.sdf.org 2 points 3 days ago (1 children)

Sure but that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place. Which... well, why? It's an image, not a program. Treat it as an image. Hence "only an idiot" writes an image parser to actually execute an image (same with eg.: only an idiot would write an MP3 parser that arbitrarily executes an MP3).

Even if an SVG had JS in it, as an image-proccessing lib the correct method would be not to try to run the JS in your SVG by yourself but rather just hand it down to whoever is processibg JS at the moment (which would be, well, the browser context and its sandbox).

[–] CeeBee_Eh@lemmy.world 1 points 3 days ago

I don't think you understand how exploits work. We're not talking about "running JS in an image viewer".

https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2/

https://www.bitdefender.com/en-us/blog/hotforsecurity/openjpeg-vulnerability-allows-execution-of-malicious-code-using-crafted-images

that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place

At the most base level, every image is data, and any data can theoretically be code. The image's data has to be parsed (like you said) and the parser can be exploited to trigger code execution.