Steganography with Flickr

Posted Jul 29th 2005 3:36PM by Keith McDuffee

steganography I've recently purchased a Pro account over on Flickr. Since I'm moving to a new place in a few weeks, paranoia has set in over possibly losing all of my digital photos due to a dropped computer, lost backup DVDs and CDs, or simply stolen equipment. What's great about Flickr is the sorting capabilities and, most importantly, unlimited storage. Surely they must have something in place to avoid taking too much advantage of that unlimitedness? Actually, it seems they don't.

Steganography is a way of embedding just about any kind of file or data within another "cover" file, though not noticably altering the cover file's content. Usually this embedded content is encrypted with a passphrase of some sort, only extractable via special programs. So should you embed a file within a JPEG image, for example, the casual observer would only see the image and perhaps only notice something odd due to the image's file size.

I decided to give steganography a try on Flickr's system, wondering if they somehow sensed altered images and stripped the extra data or raised a red flag of some sort. Since I'm primarily a Linux user, I opted for the Steghide utility, though there are several freeware Windows applications available that do the same. Steghide allows you to embed any data within JPEG, BMP, WAV and AU files, encrypting, passwording and compressing the content if you wish.

After installing the program on my Fedora Core 4 system, the procedure was rather simple. I decided to use a nice B&W photo of my dog, Guinness, as the cover file (image links to Flickr location):

Next I picked a basic PDF file as the embedded document. I just picked a PDF job application form from my old school.

$ steghide embed -ef JobApp.pdf -cf guinness.jpg -p testing123 -sf guinness-steg.jpg
embedding "JobApp.pdf" in "guinness.jpg"... done%
writing stego file "guinness-steg.jpg"... done
$ ls -g
total 3416
-rw-r--r-- 1 admin 1709600 Jul 29 13:39 guinness.jpg
-rw-r--r-- 1 admin 1696487 Jul 29 14:25 guinness-steg.jpg
-rw-r--r-- 1 admin   73255 Jun 30 14:09 JobApp.pdf

As you can see, the compression did a pretty good job -- the image containing the PDF is actually smaller than the original! Do they look any different? Nope.

Now let's get some info on the file:

$ steghide info guinness-steg.jpg
"guinness-steg.jpg":
format: jpeg
capacity: 104.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "JobApp.pdf":
    size: 71.5 KB
    encrypted: rijndael-128, cbc
    compressed: yes

And to extract the embeded file:

$ steghide extract -sf guinness-steg.jpg -p testing123 -xf JobApp2.pdf
wrote extracted data to "JobApp2.pdf".
[keith@daedalus]$ ls -g
total 3492
-rw-r--r-- 1 admin 1709600 Jul 29 13:39 guinness.jpg
-rw-r--r-- 1 admin 1696487 Jul 29 14:25 guinness-steg.jpg
-rw-r-r%uFFFD -- 1 admin   73255 Jul 29 14:30 JobApp2.pdf
-rw-r--r-- 1 admin   73255 Jun 30 14:09 JobApp.pdf

I've tested uploading the "guinness-steg.jpg" to Flickr and then downloading it again, and the embedded PDF file stays intact. Check it for yourself.

So basically Flickr can be used as a personal off-site backup system for all of your documents, not just images. Steganographied images can be shared with Flickr friends to pass on documents or other files. Honestly, though, I feel Flickr is an amazing service that I'd rather not see abused and lead to limit Pro account sizes. I'd rather see them figure out a way to stop such a thing from being possible or else let it be known such a practice is OK or not in their eyes.

Reader Comments

(Page 1)

1. This is definitely an interesting use of Flickr. And I'm actually a little surprised I hadn't seen it anywhere yet.

I agree that getting Flickr's take on this would be nice. Just to know whether this sort of action is acceptable.

Posted at 6:25AM on Dec 19th 2005 by Lewis

2. anyone tried this on blogger's image hosting?

Posted at 6:25AM on Dec 19th 2005 by primary0

3. How about a way to make a Flickr drive like the gmail drive filesystem extensions. this would be even better because the files are encrypted in the images.

Posted at 6:25AM on Dec 19th 2005 by orrin

4. Hiding a file in image obviously changes the image, some steg app's just change the least significant bit of each byte in the data part of the image file. so any image has some random data hidden in it(which might not be usefull). This also means that you can only hide 1k in a image that is 8k in size(without compression etc).

Wont it be easier just to encrypt the data and upload it(may add a image header to it, so that the site doesnt complain). Obviously it wont look like an image but noone will be able to get to the data.

Just my 5c ZAR (excl vat)

Posted at 6:26AM on Dec 19th 2005 by Gert Burger

5. well i think it's a disgrace. probably

Posted at 6:26AM on Dec 19th 2005 by Darkeel

6. As steganography is very difficult to detect, I would suspect that there is not a single image hosting site that looks for it.

Gert Berger is somewhat correct when he's talking about using the LSB, but several steg programs out there will alter more than one LSB, all while keeping a histogram of the image exactly the same and only filling around 30-40% of the container file -- VERY tough to detect (if not impossible).

Niels Provos wrote stegdetect which determines if an image has something embedded in it from certain tools, but that I'm aware of, no one has written anything that detects general steganography.

You said that you'd rather see the service not abused like this. What's wrong with it? That's almost like saying you'd rather not see email abused by sending encrypted emails. Images are images, and some may happen to contain other info, but as long as it's an image, why would Flickr care?

Posted at 6:26AM on Dec 19th 2005 by Dave

7. What's "wrong" with it is that Flickr's Pro accounts have unlimited storage. It's only a matter of time before someone makes a "Flickr Drive" like the GMail drive for storing files on the site, only with the Pro account (which is very cheap, if you're able to store more than images there) you have unlimited storage capability and even have the option of making those files/images available for public download.

Posted at 6:26AM on Dec 19th 2005 by Gudlyf

8. Surely i simple watermark or reencode would be enough to disrupt any crypted data, one line of code with gd if they wanted to stop people doing this.

Posted at 6:26AM on Dec 19th 2005 by Piers

9. Are the common license agreements on flickr in their various forms not good enough? I know on many pages the download picture is not even enabled.

Posted at 6:26AM on Dec 19th 2005 by Felipe

10. Keep in mind that although Flickr doesn't scrub the uploaded images for hidden files, it does cap your upload bandwidth (2GB per month) so there is some limit to the ability the user has to use the service for normal file hosting.

Posted at 6:26AM on Dec 19th 2005 by Stuart Montgomery

11. re: #6 & 7
The comparison of "mis-using" email is excellent. Hiding data in stored images is no worse than encrypting data in stored emails (e.g. PGP).

And, related to Flickr dealing with abuse or storage issues, Google's Gmail is proving the low cost of ever-increasing storage. At worst, I'd expect Flickr to slightly increase the cost of the Pro account. At best, Flickr will gain new customers, like me, who were attracted by the flexibility of the service.

Posted at 6:26AM on Dec 19th 2005 by Ken

12. For any Mac users who want to try this out, there's a free utility called PictureSpy* that'll encode files/messages into your photos.

I started a thread on Flickr's help forum asking if this was kosher, but no replies yet. I can't see why it wouldn't be, as long as you don't do anything illegal. (That goes for pictures in general anyway: you can pretty much upload what you want, as long as it isn't illegal.)

* http://homepage.mac.com/biggreen/

Posted at 6:26AM on Dec 19th 2005 by Dan Bruno

13. So basically you're showing us how to use a photo storage service to store private data. I think this is immoral and is probably against the terms of service.

Flikr could probably detect the changes anyway. When you do stego on Jpegs you do it by altering the coefficients on the waveforms. The problem is these coefficients usually conform to a gaussian distribution and by packing so much data in to the jpeg you're going to screw up that distribution.

To hide truly undetectable data in there is going to be difficult and the channel capacity wont be all too great. It's a clever idea but I'm against it. If you want storage, buy a web-hosting package and FTP it up to it there.

Posted at 6:26AM on Dec 19th 2005 by Andrew

14. nice idea! :) very interesting way of uploading non-picture files to Flickr

Posted at 6:26AM on Dec 19th 2005 by Gregory R. Panakkal

15. Jesus Christmas people. Get off his F***ing back already. Its just an example.

Get off your "its immoral" highhorse and chill out already.

Posted at 6:26AM on Dec 19th 2005 by Mark Bowman

16. What about these pesky terrorists ..

Posted at 6:26AM on Dec 19th 2005 by wmitchell

17. Cool hack. Neat stuff.

Moral issues aside, using Flickr to store or backup data is a really bad idea simply because Flickr makes no real guarantees that your images will stick around forever. Furthermore, given the explosion in data size-- 71K in a 1.6MB file isn't terribly efficient (I'm sure more data could go on, but it is still a huge size explosion)-- the average photography will have a hard time coming up with enough photos that look reasonably real to store any significant quantity of data.

Finally, Flickr has an "mark as offensive" feature. Given the vast horde of users on Flickr, this feature could easily be morphed into a "mark as Flickr service abuse" feature thus creating a self-policing environment.

In any case: cool hack.

Posted at 6:26AM on Dec 19th 2005 by Bill Bumgarner

18. You can hardly say it's immoral to tell people about this. I agree that using an unlimited account as a "flickr-drive" could be considered immoral, I think it depends on what Flickr has to say about it.

Andrew: I'm sure many people have thought of this. It's fairly simple, stenography is pretty well known and I came up with the idea as well, as I'm sure many other people have. The article is pretty clear that the author does not want flickr abused but wants to bring the possibility to flickr's and others attention.

Posted at 6:26AM on Dec 19th 2005 by Max Demain

19. Over at Fotopic.net we've been doing photo sharing for a few years longer than Flickr, and had this problem for a while. We ended up writing some filters which score suspicious-looking jpeg files (things like image dimensions vs filesize for one).

It wasn't uncommon for us to get a 200x200 jpeg which was about 10M in size, and find RAR headers in it. Given the volume of photos submitted it's a bit hard to scan everything but we score it and it works 99% of the time.

Of course, there's the pillocks who'll upload a photo called "winxp-sp2-cr4ck3d.r01.jpg", and oddly enough they're pretty easy to spot ;)

Posted at 6:26AM on Dec 19th 2005 by Joel Rowbottom

20. Flickr does in fact have a monthly upload limit (for free users anyway). While this is not a filespace limit, it does effectively throttle the rate at which you can upload data. And the paid users are no doubt funding disk space expansion.

Keep in mind though that, as Google Mail and its playing-catch-up competitors have shown, file storage space is increasingly cheap. The existence of gmailfs didn't stop them from raising their account quota to nearly 2.5GB.

(Though I suppose you could create a glut of free accounts and take advantage of the sum of their upload limits.)

Posted at 6:26AM on Dec 19th 2005 by Romulus

Next 20 Comments

Add your comments

Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.

When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.

To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br> tags.

El Fiat 500 Abarth Opening Edition Maserati Gran Bretaña reserva el Salon Privé del Club Hurlingham en un evento solo para damas BMW y Fiat asociándose para compartir plataformas de compactos	Make your own butter Aloe vera for healthy skin Sticky notes books make great gifts
Celine 'Watch Me Dance' Clutch, Handbag of the Day The Trouble in Tamarack De Beers Plans More Retail Stores	Sir John Templeton, best contrarian investor of the 20th Century, dies at 95 Alcoa shares higher after not-as-bad-as-expected earnings Canadian rock band Nickelback latest music act to join Live Nation
1080 Recipes, Cookbook of the Day Is a spill catcher necessary? Beat the heat with a Mojita Granita	Cockpit Chronicles: Paris - A trip with too much adventure Another unruly family kicked off plane Enter to win a free Tom Tom ONE GPS unit!