Researchers have discovered a relatively new way to distribute malware that relies on reading malicious obfuscated JavaScript code stored in a PNG file’s metadata to trigger iFrame injections.

The authors turned to polyglot images to add the JavaScript code that redirects to a page offering a fake reward. The malicious code is hidden in a BMP type of picture and it is heavily obfuscated.

The image, which is displayed to the right of this text, looked unremarkable. Using some clever HTML5 programming under the hood, however, it delivered malicious code to unsuspecting Mac users.

The malicious code is hidden within a CDATA section of the SVG file and relies on a static XOR key to decrypt a payload at runtime. The decrypted code reconstructs a redirect command and builds a ...

Now, developer Kee Hinckley along with the folks at Somewhere Inc. have created an enhanced perl script that will take any entered URL and convert the entire page (including any images, JavaScript ...

JavaScript is a programming language used to make websites interactive and dynamic. Features such as buttons that respond to ...

All of this means, assuming the above JavaScript code was placed on a web server, reachable at host:8080, an attacker could sneak in a GET parameter representing the invisible variable, in its URL ...