CONCEPT Cited by 1 source
File type spoofing¶
File type spoofing is the attack pattern where a file presents as one type — via its extension (.jpg) or MIME type (image/jpeg) — while its content bytes are a different type. The mismatch is engineered to route the file through a handler that trusts the declared type (an image renderer) when in fact the content will be interpreted by a different parser (an archive extractor, a script runtime).
Adjacency to polyglots¶
A polyglot file is the harder form: the content bytes are simultaneously valid in two or more formats, engineered to parse differently depending on which parser receives them. File-type spoofing is the looser form — the file only needs to fool routing (extension, MIME), not two parsers.
Both classes are variants of parser-differential attacks: different consumers disagree on what the file is.
Detection at content-level¶
The defense is content-inspection-based type detection: the handler reads magic bytes / structural markers from the file content and compares to the declared extension + MIME. Mismatch is a signal, often blocked outright.
Meta's Kaleidoscope is the canonical wiki instance: "we also detect when one file type masquerades as another, through a spoofed extension or MIME type."
Escalation vectors¶
- UX exploitation — a file that looks like an image but actually executes on open tricks the user's click-through-because-it's-an-image mental model.
- Sandbox-scope mismatch — the receiver routes the file to a handler with broader privileges than it should have been routed to.
- Security-scan evasion — if the scanner trusts the declared type and the renderer trusts the content bytes, each applies the wrong rule set.
Related / complementary checks¶
- concepts/format-conformance-check — beyond detecting spoofing, verify the file actually conforms to its (actual) declared type before passing it on.
- Dangerous-type uniform flagging — executables + applications flagged for special UX handling regardless of where they come from.
- Embedded-content risk indicators — PDF embedded files and scripting elements are a risk signal above the per-type threshold.
Seen in¶
- sources/2026-01-28-meta-rust-at-scale-an-added-layer-of-security-for-whatsapp — canonical wiki source. Kaleidoscope detects spoofed extension or MIME-type as one of its four check families.