This Tiny Picture on Twitter Contains the Complete Works of Shakespeare by Joseph Cox.
From the post:
…
The trick works by leveraging how Twitter handles metadata. Buchanan explained that Twitter strips most metadata from images, but the service leaves a particular type called ICC untouched. This is where Buchanan stored his data of choice, including ZIP and RAR archives.“So basically, I wrote a script which parses a JPG file and inserts a big blob of ICC metadata,” he said. “The metadata is carefully crafted so that all the required ZIP headers are in the right place.” This process was quite fiddly, he added, saying it took a few hours to complete, although he wrote the script itself over a span of a couple of months.
“I was just testing to see how much raw data I could cram into a tweet and then a while later I had the idea to embed a ZIP file,” Buchanan added.
…
The ICC link points to PhotoMe:
PhotoME is a powerful tool to show and edit the meta data of image files. Thanks to the well organised layout and intuitive handling, it’s possible to analyse and modify Exif and IPTC-NAA data as well as analyse ICC profiles – and it’s completely FREE!
Useful link/software but it doesn’t define ICC metadata.
I’m curious because the handling of ICC metadata may be a vulnerability pattern found in other software.
ICC metadata is a color profile defined by the International Color Consortium. The ICC specifications page has links to the widely implemented version 4, Specification ICC.1:2010-12 (Profile version 4.3.0.0); its successor, now in development, Specification ICC.2:2018 (iccMAX); and, the previous ICC Profile, Specification ICC.1:2001-04.
The member list of ICC alone testifies to the reach of any vulnerability enabled by ICC metadata. Add to that implementers of ICC metadata and images with it.
How does your image processing software manage ICC metadata?