May 3, 2022

Your Image Processing System is How Hackers Will Attack Your Company.

Most every website does some sort of image processing. Either someone uploads images to your site, or you grab them from social media accounts, or your customers send them to you. Most every website just creates their own simple image processing micro-service that will scale/rotate/massage these images in some way. Most every site is vulnerable to attack because of this.

Image processing libraries have been around for a long time, allowing us to handle all sorts of image types, from old school .bmps, to .tiffs, to modern formats like .heif. These were built and shared out of a common need and managed and updated by super-smart and talented people. Unfortunately, sometimes these libraries need security updates, sometimes they get them, sometimes they don't. If you take a moment to look at a CVE database you will find ALL kinds of scary vulnerabilities from zero-day code execution, to DoS, to plain old private data leaking.

Many system maintainers work diligently to keep your computers safe from these kind of vulnerabilities. In fact, just recently, Ubuntu just issued a patch the libTiff as recently as March 12th, in which processing a malicious tiff could lead to:

"A remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges."


You can see them here:

Tiff, Jpeg, and Png Libraries.

This is the big 3 file types only, and doesn't include the myriad of other common filetypes such as PDF, or vector handling libraries.

That's not really something I would want to happen in my automated processing systems. Have you updated all your systems with this new patch? You get my point.

As a long time developer, I also know the 'standard operating procedure' for image processing on custom built apps:

Image processing, once it is working for your app, you simply forget about it. If it's working, why mess with it? Maybe you will automate the OS level security patches, but that's about all the maintenance that goes into it once it's built.  Are you watching you image libraries?

ADDITIONAL PROMOTIONAL CONTENT:

You should use a third party image processor to abstract yourself away from these security headaches.

Blitline service provides all you need when it comes to processing images. Blitline allows you to manipulate images, as well as rasterize non web-native formats such as PDFs, Office Documents, SVGs, and many 3rd party output file-types. Blitline also offers many additional services related to images, such as object recognition, face recognition, smart cropping, AI background removal, locating similar images on the web, image deduping, website screenshots, all though a single simple API.

Blitline has been building secure image processing for years. Blitline not only lets you sleep well at night and not worry about image security problems, but will probably save you money in the process. We believe we can provide you image processing for cheaper than you can do it yourself, with the added advantage of automatic security, extended functionality (like rasterizing vector or Adobe files), and high availability.