Take a good look at the image below and the device you are on.
Now view it again on an Apple device. Conversely, if you are using an Apple device, view this page on an Android or Windows device.
'Think different,' see different
If you are using an Apple device and viewing this page on Safari, chances are the image appears quite differently from what you'd see on, for example, Chrome or an imaging app on Windows.
Reverse engineer and cryptographer David Buchanan might have left us all puzzled with his latest creation:
The PNG above reads 'HELLO WORLD' for most users—except those who see 'HELLO APPLE,' that is, in Apple-made software.
But, believe us, it is the same image a.png, interpreted differently by Apple and non-Apple applications.
In tests by BleepingComputer, on macOS Big Sur 11.6, the latest version of Chrome web browser (96.0.4664.110 (x86_64)) rendered the text in the image as 'HELLO WORLD'. But, viewing this page on Safari, or the image alone in Mac's 'Preview' app shows 'HELLO APPLE.'
In another test by BleepingComputer on an iPhone, however, both Chrome web browser for iOS and Safari showed 'HELLO APPLE,' not 'HELLO WORLD.'
Here's one more to leave you startled a tad further—do you see an IBM or a Mac below? Once again, view this page with an Apple and non-Apple device:
Why does this happen?
On his website, Buchanan concisely explains the reason and the concept of 'parallel-decodable PNGs' that cause ambiguity among software applications.
Depending on an image renderer's implementation, the same PNG may be interpreted quite differently.
"I found this while writing my own multi-threaded PNG decoder. While pondering my design, I realised that I had an exploitable implementation bug," writes the engineer.
"After learning that Apple has their own implementation of parallel-decodable PNGs, I realised that they'd made exactly the same mistake!"
Buchanan discovered that it was possible to craft a PNG file where:
"This could happen if a ends midway through a non-compressed block. It is therefore possible for an image to have two possible interpretations, depending on whether a parallel or non-parallel decoder decodes it," further explains Buchanan.
"This can be mitigated by the decoder, by checking that there is no unprocessed data in each piece of the zlib stream. My implementation does not currently do this!"
To demonstrate the peak of possibilities that could be achieved with this 'mistake,' Buchanan shared proof-of-concept (PoC) code:
The 84-line PoC demonstrates how some image rendering libraries can be tricked into showing the alternate version of an image—the one with the 'SECRET MESSAGE.'
In fact, the reverse engineer has released a handy tool called 'Ambiguous PNG Packer' on GitHub that lets just about anyone create PNG images that look completely different in Apple software.
In March this year, Buchanan had also demonstrated how Twitter images could be abused to hide 3-MB-large ZIP and MP3 files within.
Now had the end result of this parallel-decoding business been merely an erroneous or corrupted image that wouldn't render correctly, it would be easier to classify this as a 'bug.'
But, we wonder, could this become a security risk in some contexts or an attack vector for malicious actors to abuse? The same file seen differently by two entities is bound to cause trouble.
Comments
h_b_s - 1 year ago
I don't immediately see any security ramifications with this without a chain downstream from the divergence. But I do see people being able to use this to show nasty images or messages only visible to Apple users as a throw back to the browser wars. Netscape advocates would sometimes intentionally sabotage webpages if someone visited their site with IE.
I use both 'everything else' and Apple products. Are there any real world instances where a PNG renders accidentally corrupted on Apple products but otherwise looks fine everywhere else? I've not personally seen such a case. The possibility does raise questions about using PNGs in the future for my own work, especially since Apple is sometimes glacial slow to fix bugs in their software.
tcallaha - 1 year ago
Chrome on iOS uses Safari’s rendering engine—Apple forces all iOS web browsers to use it, so in reality Chrome is just Safari with Google’s UI and service integrations (sync, etc). That’s why the PNG looks the same in both on an iPhone.
ken_smon - 1 year ago
Actually shows
"The requested content cannot be loaded.
please try again later."
on my macbook using Safari.
This sounds more like an instance where a broken file could show differently, depending on how you try to display it.
My macbook sees it as broken. Yours tries harder to figure it out and display "something"..
h_b_s - 1 year ago
"Actually shows
"The requested content cannot be loaded.
please try again later."
on my macbook using Safari.
This sounds more like an instance where a broken file could show differently, depending on how you try to display it.
My macbook sees it as broken. Yours tries harder to figure it out and display "something".. "
Safari v15.2 on a M1 MBP Monterey v12.1 shows it exactly how the article says it does. Firefox on the same MBP shows it the way the rest of the world sees it. I don't use Safari for other reasons, but here's another minor one to add to the list of reasons for me not using it.
DennisKovacich - 11 months ago
I’ve viewed this page on the following browsers:
iOS Safari
macOS Safari
macOS Chrome
macOS Firefox
macOS Brave
Windows 10 Chrome
Windows 10 Firefox
Windows 10 Edge
It displays the same on all of them.