SANS Stormcast Tuesday, May 27th 2025: SVG Steganography; Fortinet PoC; GitLab Duo Prompt Injection
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 27 May 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
SVG Steganography
Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG.
https://isc.sans.edu/diary/SVG%20Steganography/31978
Fortinet Vulnerability Details CVE-2025-32756
Horizon3.ai shows how it was able to find the vulnerability in Fortinet s products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th
https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/
Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
An attacker may leave instructions (prompts) for GitLab Duo embedded in the source code. This could be used to exfiltrate source code and secrets or to inject malicious code into an application.
https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, May 27, 2025 edition of the Science Internet Storm Center's Stormcast. |
| 0:08.5 | My name is Johannes Ulrich, and this episode brought you by the Sans.edu Master's Degree Program |
| 0:15.3 | in Information Security Engineering is recorded in Jacksonville, Florida. |
| 0:21.5 | Well, today's diary was a little bit inspired by a YouTube comment stating that, well, |
| 0:28.6 | you know, you have problems doing steganography in a lot of these sort of pixel bitmap-based |
| 0:34.3 | image formats because they're often then compressed. |
| 0:37.3 | And as a result, some of |
| 0:39.6 | the detail is lost that you're usually after when you're doing steganography. So, for example, |
| 0:47.4 | in particular with formats like JPEC, for example, you have various compression levels. And |
| 0:52.6 | sometimes even on download, for example, mobile |
| 0:55.5 | ISPs famously often do that, where they, if they're able to intercept the bitstream, are |
| 1:02.0 | then able to further compress images, losing some of the detail. An alternative to these |
| 1:10.0 | bitmap-based formats is SVG. Now, SVG as an image format is very |
| 1:17.9 | popular on the web, on our website. For example, a lot of the icons use SVG because SVG is an |
| 1:24.9 | XML-based format and easily embedded as part of HTML. |
| 1:30.1 | And being vector-based, of course, usually no compression happens, and also they nicely scale |
| 1:36.4 | with the size of the image. And what you can do with SVG is not just create little icons |
| 1:43.6 | and line-based drawings, but you can convert some of the |
| 1:49.0 | Bitmap-based images to SVG. And what you end up with then is basically areas in the image |
| 1:56.7 | that have a certain color, and that color can then be adjusted just the same way |
| 2:02.9 | it has been done with pixel-based images. |
| 2:07.8 | Well, that's sort of what's at least calmly done these days with SVG, |
... |
Transcript will be available on the free plan in 7 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.