Episode: 4406 Title: HPR4406: SVG Files: Cyber Threat Hidden in Images Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4406/hpr4406.mp3 Transcribed: 2025-10-26 00:19:31 --- This is Hacker Public Radio Episode 4406 for Monday the 23rd of June 2025. Today's show is entitled, SVG Files, Cyber Threat Hidden in Images. It is hosted by Komok and is about 8 minutes long. It carries a clean flag. The summary is, out of nowhere, my Firefox browser on my Mac many started automatically adding every page I visited. Hi everyone, welcome to Hacker Public Radio with me Cosmos. The show where I show share my experiences from cyber security, Raspberry Pi projects and Hammer Radio. Today's episode was inspired by a creepy incident that happened to me recently. Just a few days ago, out of nowhere, my Firefox browser on my Mac many started automatically adding every page I visited to my bookmarks. At first I thought it was a bug after a recent update, maybe a misconfigured settings or similar. But when I searched for a fix, Google suggested something alarming, scan for malware. And guess what? The source of my troubles turned out to be for SVG Files, hidden malicious code. That's right, those innocent looking vector graphic files that are used every day for logos, icons in a web design, they can secretly carry a malware. In my case, those were the files, logos of Rebietable, delivery companies like Deliver and Just Eat, which I have downloaded while I was updating a website for my client. And today I would like to break down how SVG Files can be weaponized by their self-effective and how to protect yourself. So let's dive in. As first, for those listeners who don't know what are the SVG files, SVG stands for scalable vector graphics. It's image format that use XML-based text to define shapes, colors, animations and similar behavior. And unlike the JPEGs or PNGs SVG aren't just pixel-based, they are code-driven, which makes them flexible for web design, but also it makes them good for potential security risk. So they can contain even the JavaScript, they can be interactive, the item or graphic can change the colors and so on and so on. So many email filters and antivirus programs don't scan SVGs as truly as executables. They're really common, logos and icons, so they don't trace immediate suspicions. As number two HUD SVG delivers the malware, it can take a few ways from putting some malicious JavaScript. It can link to some external server where once when you download and start a code it will get it from somewhere else and it can be like putting the attachment. So the point is you get that file in a certain moment when you did something like load the document, it will start to execute its contact or its payload. So the best way to protect yourself is not to open which is much easier to say than to be done. So any items that you're downloading from Internet when it's containing images in this SVG file or some similar like PNG, you should scan it separately in some sort of sandbox. If you're using a simple viewer to see the documents or images you should turn off any execution of JavaScript for any graphic format, not just the SVG. More popular and people are more knowledgeable about similar kind of threats they're coming from various document files like Office, Doc or XLSX formats that are using Word and Excel programs. They have a macro command available, then pretty much similar situation with the PDFs where PDFs have embedded in itself various JavaScript or certain elements that are building the documents and itself just like font that is embedded so it will look the way it is but behind that look it is going to be something potentially dangerous. Sometimes you don't need even a big software package or even the programs to detect that something is wrong with the file. This should be suspicious to me when I was downloading. When I have downloaded already and then I should notice that one of the files that was about a few hundred pixels and just color on the background contain a few megabytes of the space that should be just a few hundred kilobytes. There are similar kinds of documents that can be also used like PNGs, JPEGs, whatever, whatever. And they do the same, even you open the image, it looks on the screen the way it should look but what your program for or picture view what doesn't show is the code that is somewhere behind in some layer, in some metadata hidden or any other way how the hacker intended to hide it and to deploy its program and make some harm or damage to the end user. I would like to take this opportunity for everyone to share their experience if they have encountered similar issues with SVG or any other format or file that they deployed and help our community and our friends and families to protect themselves. Share your stories in the comments, you put it on your social, on web or on the HPR Telegram channel, stable, vigilant and hope you will also contribute to HPR radio. Best regards everyone. You have been listening to Hacker Public Radio at Hacker Public Radio does work. Today's show was contributed by a HPR listener like yourself if you ever thought of recording a podcast and click on our contribute link to find out how easy it really is. Hosting for HPR has been kindly provided by an honesthost.com, the Internet Archive and our syncs.net. On the Sadois status, today's show is released on our Creative Commons, Attribution 4.0 International License.