Skip to main content

New 'Zip Bomb' Turns 46MB Into 4.5PB

(Image credit: arka38 / Shutterstock)

There's no denying that data compression is critical to modern life. It allows us to quickly download large files, keep data in sync across devices, and back up our systems without having to buy a bunch of external storage. But it also has its downsides, as researcher David Fifield proved earlier this month when he disclosed a new "zip bomb" method that can cram 4.5 petabytes (PB) into a 46MB archive.

A zip bomb is a malicious ".zip" file that contains enough data to crash the program--or the entire system--used to open it. This massive amount of data is hidden from the person extracting the archive, of course, because even a novice might question why a seemingly harmless file is so large. (As an entire generation learned by downloading music and movies from services we aren't going to name.)

To put Fifield's discovery in context: IT Pro claimed that the 10 billion photos on Facebook's service take up just 1.5PB. That means Fifield discovered a way to cram the equivalent to 30 billion Facebook photos into an archive the size of a vacation photo album. Calling something that massive a zip bomb feels like an understatement; Fifield essentially found a way to make the ".zip" equivalent to a nuclear warhead.

But there are some caveats. Fifield's new zip bomb relies on the Zip64 extension that removes the zip format's 281TB output limit. Zip64 is popular, but it's not ubiquitous like the base zip format, so this method of attack wouldn't affect some programs. It also doesn't have the greatest uncompressed-to-compressed data ratio; Fifield cited a zip bomb called 42.zip that expands to 4.5PB from just 0.6MB.

The difference is that 42.zip and its counterparts rely on recursive decompression. Instead of simply opening an unfathomable amount of files by "unzipping" a single archive, they offer up to six layers of ".zip" files inside of ".zip" files that increase in size with each layer. Fifield's method doesn't rely on such recursion, which could allow it to evade programs that can detect more traditional zip bombs.

Fifield explained in the blog post detailing his discovery: "It works by overlapping files inside the zip container, in order to reference a 'kernel' of highly compressed data in multiple files, without making multiple copies of it. The zip bomb's output size grows quadratically in the input size; i.e., the compression ratio gets better as the bomb gets bigger."

The good news is that Fifield said this method is limited to the zip format and the popular DEFLATE compression algorithm. That's by design--he said one of his goals was to "be compatible" and "avoid taking advantage of tricks that only work with certain parsers." Yet there are "certain ways to increase the efficiency of the zip bomb that come with some loss of compatibility," he said, to nobody's comfort.

This is just another reason to avoid downloading and opening suspicious files. We'd hope most people would know that by now, but malicious files continue to affect people, so not everyone's gotten the message. Maybe watching their system freeze up because it's trying to decompress three times as many photos as there are on the world's most popular social network would finally get the point across.