Compromised SVGs boost posts, steal data
Malicious SVG files are being weaponized to secretly like Facebook posts without user consent
Attackers hide obfuscated JavaScript in images to bypass detection and execute dangerous social media hijacks
Trojan.JS.Likejack silently boosts targeted Facebook posts by exploiting active sessions of unsuspecting victims
Security researchers have uncovered dozens of adult websites which are embedding malicious code inside Scalable Vector Graphics (.svg) files.
Unlike common image formats such as JPEG or PNG, SVG files use XML text to define images, which can include HTML and JavaScript.
This feature makes SVG suitable for interactive graphics but also opens the door for exploitation through attacks like cross-site scripting and HTML injection.How the clickjacking attack works
Research from Malwarebytes found selected visitors to these websites encounter booby-trapped SVG images.
When clicked, the files run heavily obfuscated JavaScript code, sometimes using a hybrid version of a technique known as “JSFuck” to disguise the script’s true purpose.
