Is the image or message uploaded to a server?

No. Embedding, encryption and extraction happen locally in your browser using the Canvas and Web Crypto APIs. Your image, message and passphrase never leave the device.

What is the difference between Base64, XOR and AES here?

Base64 only encodes the text and offers no secrecy. The XOR passphrase cipher provides light obfuscation. AES-256-GCM with PBKDF2 provides real authenticated encryption, so without the passphrase the hidden message cannot be read or tampered with undetected.

PWN-ALL · STEGO-LAB

MODE: HIDE LSB · RGB OUT: PNG

ready

Image Steganography

Hide a message in a picture

Q: Why must the output be a PNG?

LSB steganography stores data in the least significant bits of pixels. Lossy formats like JPEG recompress and destroy those bits, so the stego image is exported as lossless PNG to keep the hidden data intact.

LSB embedding with optional Base64, XOR or AES-256-GCM encryption — all in your browser.

01 · Carrier image

Cover image PNG, JPG, WebP — output is always PNG

02 · Payload

Secret message

03 · Cipher

Encryption Passphrase

For research & educational use only. This tool is provided to study steganography and client-side cryptography. Do not use it to conceal, transmit or exfiltrate data unlawfully or in violation of any policy. You are solely responsible for how you use it and for complying with the laws of your jurisdiction.

Privacy first

Local steganography with real encryption

The cover image, secret message and passphrase are processed locally with the Canvas and Web Crypto APIs — nothing is uploaded and there are no trackers. After load it works offline. Hidden data is written into the least significant bit of the R, G and B channels, which is visually imperceptible, and exported as lossless PNG so it survives.

Why must the output be a PNG?

LSB data lives in the lowest bit of each pixel. Lossy formats like JPEG recompress and destroy those bits, so the stego image is exported as lossless PNG to keep the message intact.

What’s the difference between Base64, XOR and AES?

Base64 only encodes — no secrecy. XOR with a passphrase is light obfuscation. AES-256-GCM with PBKDF2 is real authenticated encryption: without the passphrase the message can’t be read or silently altered.

Is LSB steganography undetectable?

No. It is invisible to the eye but statistical steganalysis can flag it, and any re-encoding (messaging apps, social platforms) may strip it. Treat it as obfuscation, not a guarantee of secrecy.

Can the message be recovered without the passphrase?

For None/Base64, yes — anyone with the file can extract it. For XOR and AES the correct passphrase is required; AES additionally fails closed if the data was tampered with.