Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can someone hack a macbook by sending a photo in email which you click on?


  • Please log in to reply
12 replies to this topic

#1 BustedFlush

BustedFlush

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 28 November 2016 - 12:01 PM

Sorry if this is simple, i've tried to search but cant seem to get a clear, up-to-date answer

 

Nothing downloaded, just clicked and viewed in enlarged from within the gmail. I realise this is a basic quesiton, but what could doing so give the hacker? what have i potentially left myself open to here?

 

Sorry if this seems paranoic, but it'd really help me if i can get an answer on it. thanks 


Edited by BustedFlush, 28 November 2016 - 12:05 PM.


BC AdBot (Login to Remove)

 


#2 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 28 November 2016 - 02:19 PM

Im certain this has been carried out, I realise this sounds crazy but the

mail seems very suspect. I have pulled net cables out and shut down Mac. I did this within ten mins of opening the mail, what potentially have I given the hacker here? Assuming they did not act in the timeframe, and I do not reconnect, and erase the HD and all data am I safe?

 

i understand this sounds crazy but the whole thing is very clear to me



#3 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:26 AM

Posted 28 November 2016 - 02:26 PM

Generally, no. If your browser was up to date, you are probably fine. Modern browsers (Chrome, Safari, Edge, mostly Firefox) have strong sandboxes and security in general, so unless you're a valuable target to someone I doubt it did anything. :)

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#4 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 28 November 2016 - 02:48 PM

Thanks Ian much appreciated.

 

I have chrome version 54.0.2840.98. 64bit if that means much to

you?  I did some reading about stegosploit which this sounds

like. I am concerned someone has targeted me specifically and maliciously, so this cd be more than a vague phishing or fraud case though.

 

i am solely using my ipod non jail broke at this point, from a cafe. Cd that be compromised too?

 

In the worst case scenario is the damage already done re data theft passwords etc? Is it in an instant dump of this info? Sorry if this is basic but I am not very sharp with all this :(


Edited by BustedFlush, 28 November 2016 - 02:52 PM.


#5 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:26 AM

Posted 28 November 2016 - 03:09 PM

"Stegosploits", if you will, only obfuscate an actual exploit for your browser, and would require JavaScript execution, which is not something you have in an email or in an image. Your Chrome version is up to date, and I would doubt you were (successfully) attacked.

In the nearly impossible scenario in which someone obtains code execution in Chrome's process (via an image, no less), bypasses the macOS "Seatbelt", and obtains some form of code execution, yes, it wouldn't take too long to steal important files, but unless you have reason to believe someone on the level of a nation-state would attack you (and want something on your computer)... you're probably fine. :)

If your iPod is on the latest version of iOS 10, you are also likely fine. The easiest way to lower your attack surface is to open less things, obviously.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#6 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:26 AM

Posted 28 November 2016 - 04:12 PM

Also, if you post a thread in the "Am I infected?" forum, I can help you run some diagnostic tools on your computer to see if I can spot any malware. The tools available for macOS are quite limited, though.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#7 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:10:26 PM

Posted 28 November 2016 - 04:34 PM

Just reiterating what iangcarroll has said.

 

Steganography is not easy to do. correctly. 

 

so unless you are a "whale" or something of the sort, i wouldn't worry about it too much, as iangcarrol has said..  

"In the nearly impossible scenario in which someone obtains code execution in Chrome's process (via an image, no less), bypasses the macOS "Seatbelt", and obtains some form of code execution, yes, it wouldn't take too long to steal important files, but unless you have reason to believe someone on the level of a nation-state would attack you (and want something on your computer)... you're probably fine.  :)"

 

 

There is a lot to go through and I'm pretty sure no one wants to do that for simple files /mp3's etc.


Edited by Viper_Security, 28 November 2016 - 04:34 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#8 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 29 November 2016 - 03:17 AM

Thank you to you both very much. I'm no person of interest but I am concerned someone is specifically targeting me.

 

ian - I don't really understand a lot of the terms in your latest reply. 'Obfuscate an exploit to your browser', in simple terms what does this mean?

 

Efectively you mean they couldn't get into the Mac itself to execute things and set up spyware? But they could get access to simple info, what sort of info couldthey get access to?

 

Sorry if these are dumb qs, it just seems very out of the ordinary to me

 

ps I read this article and it seems to suggest they can do quite a lot with this. Is this article credible? 

 

https://www.google.co.uk/amp/thehackernews.com/2015/06/Stegosploit-malware.html%3Famp%3D1?client=safari


Edited by BustedFlush, 29 November 2016 - 03:43 AM.


#9 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 29 November 2016 - 08:44 AM

 I am certain that this has been attempted here. The contact makes no sense other than to run this hack attempt. All I need

to know now is how much has been compromised from it, and what my next steps should be. It seems

a person is targeting me personally, so it goes beyond the usual scammers looking for credit cards and such.

 

The only other possibility is they did this just to find my IP address, which i understand can also be taken from someone clicking a link in a mail and would be much easier. I realise I probably sound paranoid here, but are there any steps at this point beyond staying offline and erasing it to factory settings? I guess the Mac is now compromised and can have software like keystroke and other spyware installed :( 



#10 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:26 AM

Posted 29 November 2016 - 09:25 AM

I'm pretty sure Google proxies images, so you can't really have your IP exposed by viewing an image in an email on gmail.com, but IPs are not usually useful for an attacker, unless they want to knock you offline.

Stegosploits are a vehicle that you can put an exploit into. The exploit here is the hard part! But viewing emails from gmail.com should even prevent you from even running anything from a "stegosploit", because stegosploits require the browser to interpret the image as HTML, which should not happen on gmail.com.

Essentially, the work required for an attacker to make an image automatically install malware is enormous. Unless there is a clear reason for an adversary to want to spend hundreds of thousands of dollars on stealing your files, you're probably being too paranoid.

And yes, in our very unlikely scenario of someone exploiting your browser, you would need to assume all of your files were compromised.

I would ask you to send me the image, but if we're assuming it has malware in it, I guess it would be troublesome to send it.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#11 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 29 November 2016 - 10:20 AM

Thanks Ian, really appreciate it!

 

But wouldn't your assessment go against the premise of the article I posted, which states it's pretty easy for a half decent hacker to run these?

 

The mail was so ingoncrous and with even a seconds afterthought, with intent, that there has to have been an attempt to get in, otherwise it would make no sense.  It really is that clear to me and at this point I'm certain it's not paranoia. I'm certainly no one would spent money chasing, but to a talented tech guy who may have a grudge, may be a target.

 

Re sending the pic I wouldn't know how to do that safely, but thanks for offer. My concern now is what has been breached and how to manage things to minimise it. 

 

Frankly the whole thing is very stressful.


Edited by BustedFlush, 29 November 2016 - 10:22 AM.


#12 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:10:26 PM

Posted 29 November 2016 - 03:11 PM

If you would like you can send me the image I can try to reverse engineer it to see if there actually is exploit code/0Day/or something of the sort. 

 

(the best way to tell, without dissecting it is to look at the image size) say you have a picture that's 166kb, if some did some stego magic the same image would be much larger eg, 1.2mb or something. 


    IT Auditor & Security Professional

hQBT2G3.png


#13 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:01:26 AM

Posted 29 November 2016 - 04:23 PM

Stegosploits are a car's shell. You still need an engine, seats, etc (i.e. the actual exploit), and fitting all those together is very difficult. It is not an actual exploit, and even if it was, stegosploits do not work when you view an email through Gmail's proxy (which you will whenever you use gmail.com or inbox.google.com).

Zerodium will buy a Chrome vulnerability like this for $80,000. An attacker could likely sell it for even more because of the fact it would be just via a simple image. Do you seriously believe someone has enough of a grudge against you to burn or put into jeopardy ~$100,000? They would likely need to invest weeks into finding this vulnerability and breaking out of Chrome's sandbox, assuming your tech friends are exceedingly competent in programming and exploitation.

Your confidence in what has happened here is not in proportion to your knowledge. Do not underestimate the stupidity of spammers.

Edited by iangcarroll, 29 November 2016 - 04:24 PM.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users