Tin Eye and Personal Privacy: A Hypothetical Attack Vector

If you who haven’t heard of it, Tin Eye is an image search engine with a unique twist. While most image search engines (like Google Image search) allow you to search for images based off of textual search criteria, TinEye allows you to search for images that are similar to other images.  The service works by allowing a user to upload an image file to TinEye.  Images that are “similar to” the uploaded image are returned in the search results.  (The ways in which the images are “similar”, of course, is up to the TinEye algorithm, but in my opinion/experience, its groupings make sense to me as a human.)

TinEye is thus a great resource for finding images in a series, or for finding different variations upon a specific image.  Looking for a higher quality version of a low-res pic?  Try TinEye. Curious where your favorite wallpaper came from originally?  Try TinEye.  Looking for the same without Longcat ‘shopped into it?  TinEye.

I believe, however, that this unique functionality has some interesting security implications.  I propose that, as TinEye is given more and more time to index the web, it may open up new attack vectors on personal privacy.

Cross-Site Scripting with TinyURL for Lulz and Profit

TinyURL is a service that transforms long, inconvenient URLs (like http://www.the-medium-and-the-messenger.com) into short, convenient ones (like http://tinyurl.com/yb6p4oz). Services like TinyURL are frequently used when posting links into Twitter, where character space is at a premium.

Like so many other web technologies, though, TinyURL can be abused for nefarious purposes. Specifically, it can be used for disguising payloads used in Cross-Site Scripting (XSS) attacks.