Didier Stevens

Monday 31 March 2008

<!– Hiding Inside Wikipedia –>

Filed under: Forensics — Didier Stevens @ 15:00

It seems that each time I attend Black Hat, I get some new steganography idea.

It’s easy to hide data inside the Wikipedia pages. But before I explain how, understand that the general principle of what I will explain applies to most sites where users can edit content. They can all be used as a covert channel, but Wikipedia has become so common that it would have passed under my radar when performing a forensic investigation. But not anymore.

You can use the Wikipedia Sandbox to experiment while avoiding the wrath of the Wiki gods.

Select the edit this page tab to start editing the article:

wikipedia-0004.png

Prepare the data you want to store on Wikipedia by converting it to a base64 representation (you can ZIP and/or encrypt it before converting it to base64). Insert the base64 data as a hidden comment inside the page:

wikipedia-0005.png

Save your changes first, and then undo your changes via the history tab:

wikipedia-0006b.png

That’s it! From now on, you can retrieve your data by comparing versions:

wikipedia-0008.png

wikipedia-0009.png

So how can you detect and prevent this? Head over to the PaulDotCom Community Blog for the answer, where I’m a guest blogger.

Blog at WordPress.com.