<!-- Hiding Inside Wikipedia -->

It seems that each time I attend Black Hat, I get some new steganography idea.

It's easy to hide data inside the Wikipedia pages. But before I explain how, understand that the general principle of what I will explain applies to most sites where users can edit content. They can all be used as a covert channel, but Wikipedia has become so common that it would have passed under my radar when performing a forensic investigation. But not anymore.

You can use the Wikipedia Sandbox to experiment while avoiding the wrath of the Wiki gods.

Select the edit this page tab to start editing the article:




Prepare the data you want to store on Wikipedia by converting it to a base64 representation (you can ZIP and/or encrypt it before converting it to base64). Insert the base64 data as a hidden comment inside the page:



Save your changes first, and then undo your changes via the history tab:




That's it! From now on, you can retrieve your data by comparing versions:






So how can you detect and prevent this? Disclosure: my analysis is based on observations of the HTTP traffic generated by a browser connecting to Wikipedia, and not by analyzing the MediaWiki software.

Normal Wikipedia requests (browsing the articles) are GET http requests to the wikipedia.org server. Editing a page is done with a POST http request:



So to detect a user updating a Wikipedia page, look for POST requests to Wikipedia. But there are exceptions to this rule. First, previews also use a POST request:



You'll have to look inside the posted form data to differentiate a save from a preview:



Another exception is a user login:



To differentiate these, use the action parameter. It's submit for article updates and submitlogin for a user login.

You can use these criteria (POST request, form data, action parameter) to block edits to the Wikipedia site via a filtering proxy. Of course, this detects and blocks all updates, not only updates to exfiltrate data.

Didier Stevens
https://DidierStevens.com