Instagram and Steganography

After doing an Instagram API, i though it would be great to do some experiments. Let’s hide info in my Instagram’s pictures. Before starting, let me explain the concepts.

Q: What is Steganography?

A: Steganography is the science of concealing a hidden message in plain sight in order to avoid detection.

There are many mechanisms to hide information in images, for example LSB Steganography:

lsb

An HTTP Request could contain hidden information in the headers like:

X-SecretInfo: HiddenMessage

Instagram and Steganography

First of all we are going to hide a file inside of an image, since i don’t want to code my own mechanism, there are available binaries you can use to hide your information in images, and other StegoAnalysis Tools.

I have created a text file named secret.txt that contains the following string: This is a hidden message!

You can also hide text without any file. This file can be encrypted or not, that depends in the security you want to add to the hidden information.

stego

Now that we have hidden our information, lets compare both original and modified image:

originalmodified

There is no evidence of information, although you can notice variation in its size:

original

Let’s upload our modified image to Instagram using the Instagram API i did. Here i have a very easy script:

<?php

include __DIR__.'/Instagram-API/vendor/autoload.php';

$i = new \InstagramAPI\Instagram($username, $password, true, null, true);

try{
$i->login();

} catch (Exception $e)
{
  echo "something went wrong ". $e->getMessage()."\n";
  exit(0);
}
try {
  $i->uploadPhoto(__DIR__.'/modified.jpg');

} catch (Exception $e) {
  echo $e->getMessage();
}

Let’s check the debug, and see if the modified photo that contains our file with the secret message hidden is uploaded to Instagram.

POST:  upload/photo/
 74.78kB
 200 	 46B
RESPONSE: {"status": "ok", "upload_id": "1474046832992"}

POST:  media/configure/?
RESPONSE: {"status": "fail", "message": "Uploaded image isn't in an allowed aspect ratio"}

Since Instagram doesnt allow the aspect ratio of the image, im going to resize/crop it and try again:

POST:  upload/photo/
 160.17kB
 200 	 46B
RESPONSE: {"status": "ok", "upload_id": "1474047117214"}

POST:  media/configure/?
 200 	 2.01kB
RESPONSE: {"status": "ok", "media": {"taken_at": 1474047118, "pk": 1340726859621347386, "id": "1340726859621347386_***", "device_timestamp": 1474047117214, "media_type": 1, "code": "BKbN_mwjjA6", "client_cache_key": "MTM0MDcyNjg1OTYyMTM0NzM4Ng==.2", "filter_type": 0, "image_versions2": {"candidates": [{"url": "http://scontent-mad1-1.cdninstagram.com/t51.2885-15/e35/14295440_1055124507942063_1793804175_n.jpg?ig_cache_key=MTM0MDcyNjg1OTYyMTM0NzM4Ng%3D%3D.2", "width": 460, "height": 460}, {"url": "http://scontent-mad1-1.cdninstagram.com/t51.2885-15/s320x320/e35/14295440_1055124507942063_1793804175_n.jpg?ig_cache_key=MTM0MDcyNjg1OTYyMTM0NzM4Ng%3D%3D.2", "width": 320, "height": 320}, {"url": "http://scontent-mad1-1.cdninstagram.com/t51.2885-15/s240x240/e35/14295440_1055124507942063_1793804175_n.jpg?ig_cache_key=MTM0MDcyNjg1OTYyMTM0NzM4Ng%3D%3D.2", "width": 240, "height": 240}, {"url": "http://scontent-mad1-1.cdninstagram.com/t51.2885-15/s150x150/e35/14295440_1055124507942063_1793804175_n.jpg?i...

There we go! Now lets check our modified photo on Instagram:

profile

The modified photo was uploaded correctly. However, I forgot that Instagram makes compression of images server-side, so I had to change steganography mechanism in order to prevent data loss from compression.

And finally… we did it!

success

And these are the files extracted from the image. Only secret.txt was extracted the other files are just hashes to verify file integrity.

recovered

And the file’s content:

stegosecret

I hope you enjoyed this brief post, if I have more time, I’ll write more stuff!

Have a good weekend! :)