It's using Javascript's Math.random(). I'm sure cryptography experts would have a big problem with that, but this is just for fun and not a serious attempt at encrypting data. It looks like it would be trivial to switch to window.crypto.getRandomValues() instead. Even as it is, I suspect it would be difficult to decrypt an image generated with a random key, but I don't have the expertise to say with any precision how difficult or trivial it would be.
Other image upload sites seem to preserve PNG files: Flickr, imgur, postimage.io, imgsafe.org, pasteboard, and imgbb all keep the hidden data intact. So while I can't share hidden messages on some of the usual suspects (Facebook, Twitter), there are still lots of other places to share images-within-images.
