Wednesday, January 23, 2008

Usage of OpenStego in LOST

OpenStego was used to embed some secret message in an image by the creators of the alternate reality game LOST (

The data was password protected, because of which I got a huge number of queries on how to find out the password from the stegged file. This is the reply that I have:

"There is no way to get back the password from the stegged data. Problem is that the password is first hashed using MD5 - which a is one-way algorithm. This means that getting back the password is next to impossible. Only option is to use brute-force hacking of the password."

Lot of people tried varied range of passwords manually. One thing they found out was that OpenStego was accepting "README.txt" as password, but it was throwing some other exception related to GZIP. The problem is that the "PBEwithMD5andDES" algorithm accepts wide range of passwords for decryption - only thing is that it would generate garbage if password is wrong. Now as the data gets compressed first using GZIP before encrypting, while decrypting if wrong password is given (which matches the padding and so doesn't give Invalid Password message), then garbage data is generated. And when OpenStego tries to decompress it using GZIP, it gives GZIP exception because of wrong data.

Going by LostPedia, it can be seen that people have finally found out the actual password from other clues in the game.

I am going to update OpenStego, so that if GZIP exception is encountered then it will give a message: "Either the embedded data is corrupt, or invalid password was provided".

One good thing was that OpenStego got good amount of publicity due to LOST game.

No comments: