Facebook is a place where you can share pictures of cute animals and fun activities. Now there’s a browser extension that lets you encode those images with secret, hard-to-detect messages.
That’s the idea behind Secretbook, a browser extension released this week by 21-year-old Oxford University computer science student and former Google intern Owen-Campbell Moore. With the extension, anyone — you, your sister, a terrorist — could share messages hidden in JPEG images uploaded to Facebook without the prying eyes of the company, the government or anyone else noticing or figuring out what the messages say. The only way to unlock them is through a password you create.
“The goal of this research was to demonstrate that JPEG steganography can be performed on social media where it has previously been impossible,” Campbell-Moore tells Danger Room. He says he spent about two months spread out over the last year working on the extension as a research project for the university.
The extension is only available for the Google Chrome browser — Campbell-Moore cites its developer tools and popularity — and the messages are restricted to 140 characters. Less certain is what Facebook thinks; a spokesman declined to comment. But it’s still the first time anyone’s managed to figure out how to automate digital steganography — the practice of concealing messages inside computer files — through Facebook, the world’s biggest social media platform. Unlike cryptography, which uses ciphertext to encrypt messages, steganographic messages are simply hidden where no one would think to look.
For an image, that could be a bunch of pixels or electronic 1s and 0s. In Facebook’s case, they can be hidden among the tons of images uploaded to the site daily.
It wasn’t easy developing the extension. “Many tools for steganography in JPEGs have existed in the past although they have always required that the images are transmitted exactly as they are,” Campbell-Moore says.
The image on the right has been encoded with a secret message. Photo: courtesy of Owen Campbell-Moore
This could be a single pixel changed to a different color, and then repeated over several images, spelling out a message — which you can’t see, unless you have the translation key, and know which pixel to look for. But when you upload an image to Facebook, the image is automatically recompressed, which can lower the image quality. If you’ve encoded a secret message in the image, Facebook will garble it. Facebook competitor Google+ doesn’t do this, so you can share encoded messages there without needing an app for it.
So Campbell-Moore replicated Facebook’s recompression algorithm, available in a draft research paper (.pdf). When encoding a message into an image, the extension automatically compresses the image, as Facebook would. Then it makes lots of “very slight” changes to add redundancy. “This minimizes the amount of change it will undergo when they do recompress it, keeping the damage to the secret message low,” he says.
“Conceptually, imagine storing the message ten times, each in different sections of the photo before it is uploaded and recompressed,” Campbell-Moore adds. “The algorithm can then piece the original message back together correctly, despite each copy stored in the image being slightly damage
Wired.com