That's probably working only because of an unzip that deals with problems. You're probably seeing an error like "warning [foo.zip]: 12345 extra bytes at beginning or within zipfile". The offsets in the zip header would be wrong. "zip -A file" would fix them. Most image upload sites would probably strip the data anyway though.

It's astonishing that it's as simple as CATting a zip file to the end of a jpg. I feel there are consequences here for any website that accepts image uploads.

> I feel there are consequences here for any website that accepts image uploads

Steganography can be done even without file-format hacks; all that's special about this hack is its simplicity.

It could easily be defeated -- I'm sure Twitter would have no trouble sanitizing uploaded image files if they wanted to.

That's not how this works though.

Jep you're right. It's doing something with 64k JFIF application segments ... wtf.

Well, it's still using the trick I pointed out, placing the ZIP file index at the end.

So from one viewpoint it's a JFIF("jpg") file with large application segments containing the zipfile data for the shakespeare.part0xx.rar files.

From another viewpoint, from the back of the file. It's a incremental zip file (not compressed in one go), with the garbage bytes (the "overwritten") bytes in the zipfile updates forming a valid JFIF file.