Did you know you can make one image file, that will look completely different on different operating systems? Well, I didn’t until last week, when I opened Twitter and noticed that PNG Parser was trending. The cursed tool creates PNG image files that, thanks to a weird bug, display completely differently on Apple vs non-Apple devices.
If you’ve got both Apple and non-Apple devices in your house, head on over to the PNG Parser website on each and see what you are shown. Even if you don’t have two different devices, check it out in Safari, and another browser like Brave. Desktop Firefox will also show the difference, but iOS Firefox uses Safari’s renderer so it will show the same thing.
The creator of this blursed piece of tech, David Buchanan, found it quite by accident. He was working on a way to do multi-thread decodes of PNG files and found a bug that could be exploited in fun ways.
That fun multiplied when he realized that Apple’s own implementation of “parallel-decodable PNGs” suffers from the same bug. That ended up in a new tool to create these merged PNG files; which show one image on Apple’s Safari browser, and another on pretty much every other browser in existence.
READ MORE: How to convert screenshots from PNG to JPEG on iPhone
Okay, neat trick. Why should you care, beyond a little bit of fun? Well, it could be used by marketers, or even hackers to show different images to different device groups.
It could even be used to insert malicious code. The “zero-click” exploit that NSO Group used to plant the Pegasus malware took advantage of a rendering bug in Apple’s CoreGraphics PDF parser.
The PNG parser could be similarly affected. That would mean a hacker could create a PNG file that shows a normal image on non-Apple devices but inserts a payload when on an Apple device.
It’s unusual for such a bug to stay undetected for so long. PNGs had parallel processing added in 2011, according to a comment on HackerFactor. It seems that this also needs patching, or perhaps just the rendering engine in browsers.
Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.