Mobius by Link-Shield

Image-Based XSS Attack Concept

Photographic Memory

How a Broken Image Can Steal More Than Just Your Attention

Author

By Guy Ushomirsky

Published: March 2025

They say a picture is worth a thousand words — but what about an image that contains a thousand lines of malicious code?

Recently at Link-Shield, we spotted a sneaky attack vector that uses one of the last things you'd expect — the humble HTML <img> tag.

Attackers found a way to inject JavaScript into websites without using the usual suspects like <script> tags. Instead, they hide their code inside an image tag using a lesser-known trick called the onerror attribute.

🧨 Why onerror?

Because if the image fails to load (for example, if the URL is broken), the browser runs whatever code is sitting in the onerror handler.

Here’s a basic example:

<img src="notfound.jpg" onerror="alert('Hacked!')">

Since notfound.jpg doesn’t exist, the browser says “Oops, image not found!” and runs the onerror code — in this case, a simple popup. But attackers don’t stop at popups. They can do much more dangerous stuff than just an alert.

Broken image concept

🔍 Hiding Malicious Code

Now, if an attacker just wrote alert('Hacked!'), that’s pretty easy to spot and block. So how do they hide it?

They use tricks like Base64 encoding combined with a dangerous JavaScript function that runs decoded text:

Here’s a sneakier version of the same attack:

<img src="notfound.jpg" onerror="eval(atob('YWxlcnQoJ0hhY2tlZCEnKQ=='))">

🚨 Why You Should Care

That weird string? It’s just Base64 for alert('Hacked!'). But now imagine if instead of a harmless alert, the attacker was:

🛡️ The Good News

Attacks like this can be stopped — and Link-Shield is built to catch exactly these kinds of sneaky tricks before they ever get to your users.

Our system analyzes content in real-time and detects when something shady (like a hidden eval(atob()) inside an image) is about to run — so you’re protected even if an attacker finds a creative way to inject code.

← Back to Home