Image links not safe on steemit.com | External images displayed | Beware of social engineering attempts with such links

in #steemit8 years ago

Today when I was reading posts on steemit, found something interesting about the images which are posted here. I checked the link for one of the image in a post and tried to play and experiment with it. Finally, found that even if I or anyone else has not included an image in any post; it can still be viewed on steemit.com URL. Basically, the image is not uploaded to steemit servers or hosted on steemit but still from the URL it can be misinterpreted that image is on steemit.com

For example check the below link:

https://img1.steemit.com/0x0/http://i.giphy.com/3o72F8HbKcxh60v3Ne.gif

I can add any image URL after '0x0/' and it will be displayed in the browser with the URL starting from https://img1.steemit.com.

Image of Hacker

I don't think this saves the external image on steemit servers so its not a big threat or a high risk vulnerability but still feel it can used or misused by hackers to trick the users into believing that the steemit is hosting some content that's not actually there. Attackers can even display their images or social engineer users to download malicious images this way.

There can be more ways to test this or exploit this in a way that is not good for steemit users and especially the users who love blogging and are not aware of all these tricks. Please correct me if I am wrong somewhere or add your inputs if this can be bigger than what I am thinking. I am a information security researcher but not someone who knows everything, I believe steemit team looks in to this and do the best to keep Steemit safe and secure for all.

Thanks!

Sort: