I've been fortunate in being able to speak at DEFCON seven times (including
the upcoming DEFCON XXIII). I've also covered DEFCON for Computer World Magazine.
DEFCON XV, Las Vegas NV, Aug 2007“The Executable Image Exploit”
The “Executable Image Exploit” lets you insert
a dynamic program into any community
website that allows references to off-domain
images; like MySpace or eBay. By uploading
the following line of HTML to a community
website, <img src=”http://www.mydomain.
com/executable.jpg”> you can launch a
dynamic program that masquerades as a
static image and capable of reading and
writing cookies, analyzing referrer (and other
browser) variables and access databases. It is
even possible to create an image the causes a
browser to execute JavaScript.
Quote from the DEFCON XV program
This lecture described how to disguise computer programs as online images that may be used to gather specific metrics. I
also talked about how these methods were used to help a Private Investigator track an online stalker.
You can watch Michael Schrenk's DEFCON 15 talk here.
The “Executable Image Exploit” lets you insert
a dynamic program into any community
website that allows references to off-domain
images; like MySpace or eBay. By uploading
the following line of HTML to a community
website, <img src=”http://www.mydomain.
com/executable.jpg”> you can launch a
dynamic program that masquerades as a
static image and capable of reading and
writing cookies, analyzing referrer (and other
browser) variables and access databases. It is
even possible to create an image the causes a
browser to execute JavaScript.
Quote from the 
