The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files with bits of different, invisible information.
In this example we hide JavaScript code in the alpha channel of a PNG file then execute it when the image finishes loading.
The original exploit was discovered by Saumil Shah and used an HTML5 <canvas> element to execute malicious code when the image was rendered. I decided to write a simple example of the same process but using an <img> element and Peter Eigenschink's steganography.js library.
A harmless demonstration can be found here. More information about "IMAJS" (the original exploit) can be found here.
The demonstration provided cannot be embedded by means of an <img> tag, though it is fully possible to move the decoding script into a document that does embed the potentially malicious image through an <img> tag.