Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Hiding Things Out In The Open
Ruby Shell
Fetching latest commit...
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
LICENSE.MIT Fixed some issues in the get-payload-from-web library
piggyunpack.rb Cleanup + License

The article on the technique can be found here.


Digital Steganography For Fun And Profit


Their are two generously commented files:

  • - It gets the payloads from the web, starting from youtube and ending as a 3gp file
  • piggyunpack.rb - The code to separate the image from the audio


This is a very rough implementation of lsb image steganography. The ideal goal was outlined in this reddit post:

"A nominal, simple way to piggy back on image uploaders in order to post files of modest size ... I want to explore what that workflow and interfacing would feel like."

In the thread a number of other projects were highlighted that do similar things already:

  • FireSteg: "A steganography sidebar extension, letting you hide files inside images for covert sharing."

  • steghide: ... is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests.

  • CameraShy: ... is the only steganographic tool that automatically scans for and delivers decrypted content straight from the Web

  • File-Encryptor. Here's the description, reddit thread and citation where I found out about it.

There's some academic work too:

Related Work

A number of people have contacted me and made projects inspired from this.

  • Austin Hamman's stegano.js is a javascript version for the browser; using base64 encoders, canvas, and a few other nice tricks. I've thought hard about the problem myself and have run into the same walls that he discloses; primarily that b64encoded data, embedded in an iframe say, "iframe src=data:..." can't do some file-name hinting, like "content-disposition: attachment; filename=" in HTTP.
Something went wrong with that request. Please try again.