Parsing any file for validity is an opportunity for flaws in its coding to be exposed. This is even more risky if the data given to it is from an unknown third-party who could have maliciously crafted the data to exploit exactly those flaws.

Something as innocent as a spreadsheet, PNG, PDF, MP3 etc. can easily be crafted to take account of known flaws in certain pieces of software that are used to process or render them.

It’s just not a case of the server storing a file and regurgitating it later, that much is too simple. But if you upload a PNG or JPEG or MP4 or MP3 to Facebook, you want to see / hear it, don’t you? And you want others to do so, too. Hence that file is processed and delivered to end-users and maybe delivered to their browser or their local plugin/extension/software in order to see it. That’s a prime opportunity to use Facebook, for example, to compromise everyone who tries to open that file.

And, yes, innocent files that even play correctly on most computers can have flaws deliberately inserted into them that will cause servers to crash, hang, spew memory, execute code, etc. if the software that’s processing them is vulnerable.

Also: All software is vulnerable. It doesn’t matter how well coded or popular it is, it will have these kinds of flaws and people will find more every day. Almost all websites use FFMPEG when processing video, for example. And FFMPEG has had just such flaws. The same for things like libpng (for PNG files), libvorbis (for OGG audio files), Adobe Acrobat (for PDF files), etc.

It’s a rule in programming that you treat ALL data of unknown origin – and everything that you user sends you – as “unsanitised” data, and take the absolute greatest care when processing it. Because that file can have malicious things inside it that your software may process badly and you won’t even know until it’s already happened.

An example of such a thing – most files have to tell you to set aside an amount of memory. Because they’re compressed, and the file records what the uncompressed size will be, your program has to “trust it” and set aside that much memory in order to process the file. Bam. Now you have the opportunity as an attacker to craft a file that expands to fill all RAM, that gets the computer into an infinite loop when processing it, that tries to allocate too small a buffer deliberately and thus the contents “spill over” into RAM that the computer is using for other things, and you have a dozen ways to cause problems – everything from hanging the server, slowing it down, crashing it, to compromising it and stealing information from other users!

So you have to process it REALLY carefully, take no chances, trust NOTHING that’s inside the file, even imagine new attacks like the above and where they might sneak in, and make sure that your software is doing exactly what you think and keep it up to date, and patch against all the latest flaws immediately – but your users still want to just look at that JPG they got from a friend and uploaded and they want to do it NOW.

As an example, did you know that WMF files (an early vector format, not unlike SVG) were actually just Windows executables? They used to “draw” shapes by just running certain internal Windows functions as part of a normal executable program. Until one day someone changed that program to do malicious things just by you opening a particular WMF they had made… and only THEN did Microsoft and everyone else start locking down how they processed WMF files.

And it’s constant and ongoing – there are flaws in major software suites every day just parsing ordinary Word docs or image files or video files or audio files. And every day someone finds a hole, uses it to craft a malicious file, sends that file out by email or Whatsapp link or Facebook post or whatever, and all those companies have to detect that, patch all their software everywhere across the world, and make sure they haven’t missed anything and haven’t broken any legitimate files in the process.