Reputation: 1478
Security concerns of embedding a third party image in HTML
I'm trying to find out what's the worst case scenario, damage or repercussions of embedding an image from an ambiguous third party website from a security point of view. In specific, what technical access does the 3rd party gain to exploit?
For example, a user posts an image URL and then the image is directly embedded like so on a website:
<img src="http://www.site-thats-not-mine.com/image.jpg">
I understand that the image could be malicious, or even that it's not really an image, but what's the worst that they can do due to this? It's not like it's an uncommon practice either.
Upvotes: 4
Views: 958
Answers (3)
Reputation: 75629
For example image file can be crafted in special way to exploit bugs in browser or image libraries to hack visitor machine.
Other possible things that could go wrong - remote site is down or image is gone. Or instead of lovely flower images your site will one day start displaying bestiality p0rn... It's better to serve own content :)
Upvotes: 1
Reputation: 53319
Generally, the worst it can do is track the end user. Any headers sent along with the request for the image can be used to keep a database on end users of the image. Another bad thing it can do is change -- it could lead to a broken image on your site if the image is removed or if the server goes down; and if the image is replaced with something else, it could lead to similar problems (even possible legal issues -- for example, if the image is maliciously replaced with the intention of deceiving end users of your site).
There are also browser exploits to consider, but those are not the general problems.
Upvotes: 3
Reputation: 42915
The worst thing that could happen?
I'd say: the universe could implode. (though I am not sure if that would be such a bad thing...)
No, that is mean in a serious though somewhat exaggerated way: since it is impossible to know all possible exploits that do exist or might be developed it is formally impossible to limit the worst possible outcome of a missuse. Such a question cannot be answered seriously. You might want to re-think your question instead.
Upvotes: -2
Related Questions
- HTML Elements inside an image?
- How embedded image works in HTML?
- How to insert an image in a HTML page?
- Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code?
- What's the security risk of having javascript access an external image?
- Is there a way to embed an image inside a single Html (or even xml) document and have it displayed in the browser
- Any risk when using SSL image hosted on another site?
- Embedding an image with PHP
- Html - embed image directly in html (old school style)
- adding an image from a different website in the following html snippet