Show HN: Hide an encrypted message inside a photo, in the browser

trivsamt1 pts0 comments

Hide a Secret Message in an Image - Steganography | Vajba

Drop an image here

or tap to browse your files

JPG, PNG, WebP, HEIC - export is always PNG

Choose image

×

Secret message

Password optional

With a password the message is encrypted with AES-256. Without one it is only hidden, so anyone with this tool could read it.

Short passwords are easier to guess. A longer one protects the message better.

Hide message & download PNG

Message hidden and PNG saved. To keep it intact, send the image as a file or document. Sending it as a photo in chat apps recompresses it and destroys the message.

This image has a hidden message.

Hidden message

Copy

Hide a new message in this image instead

This message is password-protected.

Password

Reveal message

Hidden message

Copy

Hide a new message in this image instead

How does this work?

The short version

This tool hides your message inside the picture itself. The image looks exactly the same as before, but your words are tucked invisibly into it. Whoever you send it to simply drops the image on this page to read them.

Add a password and the message is also locked, so only someone who knows the password can open it. Nothing is uploaded anywhere. The picture and the message stay on your own device the whole time.

One thing to remember: send the downloaded image as a file or document. Sending it as a regular photo in a chat app usually squeezes the image, and that wipes the message out.

For the nerds

Your text is written into the least significant bit of the red, green, and blue values of the image's opaque pixels (LSB steganography), so no color channel shifts by more than 1 out of 255. With a password, the message is first encrypted with AES-256-GCM, using a key stretched from your password with 600,000 rounds of PBKDF2, and the header is authenticated along with the ciphertext. A wrong password or a tampered file fails cleanly instead of producing plausible nonsense.

Every export is decoded again and compared byte for byte before the download starts, so a browser that alters pixels while saving can never hand you a broken image. Exporting also strips the original photo's camera and location (EXIF) data, and everything runs in your browser: no uploads, no storage, no accounts.

The export is always PNG on purpose. PNG is lossless, so the hidden bits survive, while JPEG re-compression or a screenshot destroys them. And to be honest: a password protects what the message says, but steganalysis tools can still tell that an image was modified. This is built for playful, private secrets between friends, not for hiding things from forensic analysis.

Say hi at [click to reveal email]

message image password hidden hide photo

Related Articles