A report in New Scientist magazine this week identifies a new threat to your information security, although it is unclear if this is in the wild yet.
In the article, researchers created software (a “bot”) that extracted sensitive user data (such as banking passwords or credit card numbers) and then hid this inside a picture file which was then uploaded to Facebook. Once on the social networking site it moves from you to you friends, to their friends until it eventually reaches the “botmaster.” This process is assisted by the fact that as your friends view your Facebook page, the pictures are automatically downloaded in the background assisting the bot to spread.
While this propagation method relies on the concept that everyone is, eventually, linked to everyone else this is still quite cumbersome and, in the wild at least, there are better ways for hackers to get access to your data.
The greatest concern here is that this threat is virtually undetectable and it is unclear if any anti-virus or anti-malware packages will ever be able to defend against it. However, it is a slow method and it would only ever be possible for small amounts of data to be sent in each picture.
As an estimate, it could hide around 50kilobytes of data in a normal camera-phone photo, so the risk here is not that you will lose large amounts of intellectual property (IP) but that if the bot is linked to another attack, it might be possible for it to capture your internet banking passwords and credit card numbers.