Hey there,
I have been working on the proposal for the browser extension. Here I got some doubts. The following say how I expect the system could work according to the MIAB implementation explained in 3.2 part in the research paper [1].
Alice who know Bob's public key. He encrypt the message using an arbitrarily selected shared key and hide the message in the image, and then he encrypt the shared key using Bob's public key and gets the cipher-text and adds it in some metadata. My doubt is how the MIAB client going to select the metadata's location ( e.g : Exif.Photo.ImageUniqueID or Exif.Image.DateTime, etc ). If its a fixed location and if the man-in-middle know that location,and if he know Bob's public key (since its public), he could easily get to the message. If MIAB going to select the location arbitrarily, how it could be transferred to Bob's MIAB client?
This is a same issue could be faced by browser extensions also, since all the browser extension codes can be accessed by anyone.