Cloudinary Blog

Viral Images: Securing Images and Video uploads to your systems

Ran Rubinstein
By Ran Rubinstein
Viral Images: Securing Images and Video uploads to your systems

When was the last time you got paid $40,000 for a few days of work? That is what happened last year to Russian independent security researcher Andrey Leonov, who discovered that if you upload a specially constructed image file to Facebook, you can make Facebook's internal servers, nested deep within their firewalls, run arbitrary commands to expose sensitive internal files in a way that could easily lead to a data breach.

Facebook was lucky that this exploit was discovered by an ethical hacker and not a criminal, and gladly paid him one of the highest bounties ever published for a security bug disclosure.

The bug that Leonov discovered was quite embarrassing, as it revealed that Facebook neglected to update the image processing libraries on its servers. This was the case even though the vulnerability, dubbed Imagetragick, was discovered five months earlier, was widely discussed in tech press and recognized as a high risk threat, and security patches for affected operating systems were made available immediately(1). Last year, it took us 45 minutes to patch our systems against this bug, on the day it was announced, from the moment we found out about it: Imagemagick among other tools is used within some of our image processing pipelines, and we closely follow security announcements about these tools. This is not bragging - we’ve had cases as well where minor, less publicized issues, lingered for weeks before being patched. It does go to show that even one of the most admired software engineering organizations in the world can have its bad days and neglect a trivial patch. On the other hand, Facebook's willingness to publicly discuss and publish this vulnerability is admirable, and promotes the security of the web at large. Stories like this help raise public awareness of the risks in not properly maintaining your servers and software.

How do organizations protect themselves against such risks?

There are several technical and organizational procedural controls that are required for a development organization to stay on top of security risks. In the Facebook case, Leonov collected "low-hanging fruit" via a well-known, published bug. But what about the countless unknown bugs that lurk within the multitude of libraries, software packages and services that are required for an advanced image and video processing system? What about other file formats such as PDF and SVG, which both deserve a special place in the vulnerability hall of shame?

Organizations employ security teams that audit internal software libraries, 3rd-party tools and services, and take care to regularly patch operating systems and software stacks. However, media processing pipelines are especially sensitive to patches and upgrades that change the functionality and resulting outputs, so they are often 'frozen in time' to maintain the same outputs and not break the pipelines.

At Cloudinary, we employ the following principles to guard against risks:

  1. Assign responsibilities. Information security is considered a strategic issue, and is the responsibility of an executive management team member, coordinating the organization-wide efforts.
  2. Create, implement and enforce company wide procedures. We created and maintain a set of security procedures, compatible with the widely acclaimed ISO 27001 information security standard. These procedures apply to every level of company activity, from hiring procedures, to writing code.
  3. Get help. We employ a third-party consulting company specializing in information security standards and procedures to create, maintain and validate enforcement of the controls mentioned above.
  4. Monitor. No system is free of bugs, even if everybody in the dev org is a security expert and you run the best static code analysis and network monitoring tools. We hire external penetration testers to probe our APIs and web applications regularly. Our systems are patched automatically via daily updates whenever possible. Our security team subscribes to the CERT mailing lists in the countries where we have offices, and gets alerts on new vulnerabilities found in the core libraries and operating systems we use. We also regularly pay (albeit smaller that $40,000) bounties to independent researchers who report security issues in our systems. Watch this space for a future announcement of a public bug bounty program - there are several popular services that provide an infrastructure for such programs.
  5. Focus. As a SaaS/API provider, the philosophy of using best-of-breed external providers, where available, is ingrained into our culture. We prefer to focus on our own unique software offering than develop internal systems replicating functionality available elsewhere, so we use API and SaaS providers (after vetting them for security) whenever it is possible. Every line of code your programmers write, or library they use, is a potential bug, and using properly vetted providers can help you outsource non-core functionality to experts whose job is to focus on it.

Is this article designed to sell you on using external services for non-core functionality?

Yes, it absolutely is!

In the build vs. buy dilemma, security considerations have pluses and minuses for both sides. One important thing to consider is that security breaches are an eventuality, not a probability, as your website or app becomes more important and popular. If someone penetrates your systems via a malicious image, video or file upload - whose internal network would you rather be breached - yours or the SaaS provider's? If Facebook had used an external provider for image processing, it would save them from having to maintain, patch, continuously monitor and test their image processing pipelines, and dealing with implications of a hacker snooping around their internal networks. Plus, they would get more image and video processing features than they would ever consider developing in-house, allowing them to experiment with new functionality without having to invest development time and the efforts required to make these capabilities secure.


Footnotes (1) According to Leonov's blog, Facebook's un-patched image libraries were compounded by a misconfigured firewall that allowed internal information to leak out to the internet via DNS tunneling.

Recent Blog Posts

Hipcamp Optimizes Images and Improves Page Load Times With Cloudinary

When creating a website that allows campers to discover great destinations, Hipcamp put a strong emphasis on featuring high-quality images that showcased the list of beautiful locations, regardless of whether users accessed the site on a desktop, tablet, or phone. Since 2015, Hipcamp has relied on Cloudinary’s image management solution to automate cropping and image optimization, enabling instant public delivery of photos, automatic tagging based on content recognition, and faster loading of webpages. In addition, Hipcamp was able to maintain the high standards it holds for the look and feel of its website.

Read more
New Image File Format: FUIF: Why Do We Need a New Image Format

In my last post, I introduced FUIF, a new, free, and universal image format I’ve created. In this post and other follow-up pieces, I will explain the why, what, and how of FUIF.

Even though JPEG is still the most widely-used image file format on the web, it has limitations, especially the subset of the format that has been implemented in browsers and that has, therefore, become the de facto standard. Because JPEG has a relatively verbose header, it cannot be used (at least not as is) for low-quality image placeholders (LQIP), for which you need a budget of a few hundred bytes. JPEG cannot encode alpha channels (transparency); it is restricted to 8 bits per channel; and its entropy coding is no longer state of the art. Also, JPEG is not fully “responsive by design.” There is no easy way to find a file’s truncation offsets and it is limited to a 1:8 downscale (the DC coefficients). If you want to use the same file for an 8K UHD display (7,680 pixels wide) and for a smart watch (320 pixels wide), 1:8 is not enough. And finally, JPEG does not work well with nonphotographic images and cannot do fully lossless compression.

Read more
 New Image File Format: FUIF:Lossy, Lossless, and Free

I've been working to create a new image format, which I'm calling FUIF, or Free Universal Image Format. That’s a rather pretentious name, I know. But I couldn’t call it the Free Lossy Image Format (FLIF) because that acronym is not available any more (see below) and FUIF can do lossless, too, so it wouldn’t be accurate either.

Read more
Optimizing Video Streaming and Delivery: Q&A with Doug Sillars

Doug Sillars, a digital nomad and a freelance mobile-performance expert, answers questions about video streaming and delivery, website optimization, and more.

Doug Sillars, a freelance mobile-performance expert and developer advocate, is a Google Developer Expert and the author of O’Reilly’s High Performance Android Apps. Given his extensive travels across the globe—from the UK to Siberia—with his wife, kids, and 11-year-old dog, Max, he has been referred to as a “digital nomad.” So far in 2018, Doug has spoken at more than 75 meetups and conferences!

Read more