9

Is it possible to pack analytics code within an image and have that code fire when the image is loaded on a webpage?

The image would be inserted onto a page through a file upload form field such as if I were to add an image to this question where I have no direct access to add HTML or JS to the page.

Goal being to track page views on pages which I have no access to any code, only the ability to upload an image.

Almost kind of like a 'Trojan horse' approach but without any malicious intent.

davidcondrey
  • 29,530
  • 14
  • 105
  • 129
Dale Woods
  • 702
  • 1
  • 10
  • 26
  • Reference [File Uploader Vulnerabilities](http://soroush.secproject.com/downloadable/File%20in%20the%20hole!.pdf) and [Exploit Delivery via Steganography and Polyglots](http://stegosploit.info) and [Javascript-Pics polyglots](https://github.com/shrz/corkami/tree/master/misc/jspics) – davidcondrey Sep 15 '16 at 10:08
  • I could be wrong but I highly doubt this is possible. The approach entails injecting code (doesn't matter what the intent is) into someone else's code to execute based on load events. It's exactly why there are tracking pixels that do this kind of work through an image with additional params attached but since you won't be in control of rendering the image or it's URL then it won't work. Even if you were able to attach image url to post params it's not the same as executing JS code on the page. Very limited. – dchayka Sep 19 '16 at 20:30
  • Every stalker who checks profile pictures on Linkedin could be caught. – technazi Jun 03 '18 at 16:36

1 Answers1

0

Tracking pixels requires specific structure and specific server.

So I cannot imagine anything like Trojan horse, but you can track image load as an event.

Try something like this:

Single purpose client side

<img src="" alt="Facebook is new god" id="fblogo"/>

<script type="text/javascript">
    window.onload = function () {
        var logo = document.getElementById('fblogo');
        logo.onload = function () {
            ga('send', 'event', 'FB', 'Loaded');      
        }; 
        logo.src = 'https://facebook.com/fb/logo.png';
    };
</script>

Measurement protocol way - server side

https://www.google-analytics.com/collect

?v=1                                    // Protokol version
&tid=UA-XXXX-Y                          // Property ID
&cid=55568765456                        // Client ID stored in database or random number 

&dh=forum.eu                            // referrer
&dp=image78974.png                      // filename

&t=event                                // send instruction

&ni=1                                   // non inteaction flag
&ec=Image                               // Event Category
&ea=Load                                // Event Action
&el=image78974.png                      // Event Label
Jakub Kriz
  • 1,467
  • 2
  • 21
  • 28
  • hmm not what I need. I was hoping to attach it to real images so when I embed them into forums, and other users view that images, they also get a tracking cookie from google or facebook for remarketing purposes. – Dale Woods Jun 05 '15 at 14:38
  • Thenb you have to use measurement protocol on server side when image is required. Each included image should be preprocessed by php or whatever and before returning image data, send cURL with analytics data. – Jakub Kriz Jun 05 '15 at 14:43