Can you get a virus from viewing Google images?

My browser is Google chrome. When I use Chrome and I look at google images, I can do three things

  1. I can scroll down the page and look at images, or
  2. I can click on an image on the page and a black box appears across my screen with the image itself on the left and on the right the website where the image is coming from is displayed, and also
  3. I am given the options "Visit page" and "View image".

My question is, can you get virus from doing (1) or (2)? I think probably doing (1) is harmless but I'm not sure whether if you do (2) you are actually visiting the site or simply enlarging the image.

Basically I'm worried about malware on Google images.

3

2 Answers

Is it possible? Yes. Is it likely? No.

The image thumbnails shown in the search results (which you call "1") are served directly from the page as embeded data: URLs. No content is served from any non-google server.

google image search thumbnails

The image previews which appear inside a black border inline with the search results and are shown when you click on a thumbnail (which you call "2") embed the image directly from the website which hosts it.

google image search inline preview

There have existed security vulnerabilities in common image formats, which can result in buffer overflows and remote code execution. In practice this is very uncommon, and it's likely that Google would detect this as malware and not show those images in search results. However, if there were a 0-day image format vulnerability and you happened to click an infected image in the search results, just using the inline preview could be enough to result in your computer being compromised.

Yes, you certainly can.

As a proof on concept of how to transmit information to the browser through JPEG headers, I can for example create a product image that has a link included in it with my website. Protected browsers will not display that, but unprotected interpreters will (like some other browsers or things like wordpress). I can upload the proof-of-concept files if you need.

Since even that JPEG header can pass info to a page/browser and that has a practical effect (it is being interpreted/processed/displayed), it means a skilled one can pass a lot of risky things.

You Might Also Like