‘Secretbook’ Lets You Encode Hidden Messages in Your Facebook Pics

Richard Clayton richard at highwayman.com
Thu Apr 11 11:56:57 BST 2013

In article <CALh-06nSm1uRjZpakQTFSHfhN21jMmBQapzoW6ZHKmjngoyRcw at mail.gma
il.com>, Owen Blacker <owen at blacker.me.uk> writes

>Facebook is a place where you can share pictures of cute animals and fun
>activities. Now there’s a browser extension that lets you encode those
>images with secret, hard-to-detect messages.

that's two different properties...    if the stego message has been
encrypted before it is embedded then if the key is long enough then it
is likely to stay secret.

If "too much" data is embedded then it will be detectable by one of a
number of methods (real pictures have various statistical properties
that are disrupted by the embedding of what is effectively "noise").

There's a vast literature on this, good starting place is Jessica
Fridrich's work:  http://www.ws.binghamton.edu/fridrich/

>“The goal of this research was to demonstrate that JPEG steganography can
>be performed on social media where it has previously been impossible,”
>Campbell-Moore tells Danger Room. He says he spent about two months spread
>out over the last year working on the extension as a research project for
>the university.

Embedding short messages into media that will survive transforms is
called "watermarking" and there is a large literature on that as well!
The initial robustness scheme called StirMark dates from 1997


and since this is usually successfully passed, there have been later
proposals such as CheckMark which add more transforms.

The particular proposal here seems to have been specifically designed to
survive Facebook's transform rather than to survive more general changes
to the image.

>It wasn’t easy developing the extension. “Many tools for steganography in
>JPEGs have existed in the past although they have always required that the
>images are transmitted exactly as they are,” Campbell-Moore says.

His draft paper is at


it contains no references to other work at present, so it's not possible
to see whether or not he has encountered the papers that might disabuse
him of this exact statement :(

>If you’ve encoded a secret message in the image, Facebook will garble
>it. Facebook competitor Google+ doesn’t do this, so you can share
>encoded messages there without needing an app for it.

An important reason for processing the images is that this prevents
people installing malicious images on their pages which will compromise
visitors whose graphic display software contains security flaws! I fully
expect [but have not tested] that Google+ does do some manipulations to
avoid this !

richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130411/2b8540d6/attachment.pgp>

More information about the ukcrypto mailing list