This image Can Hack You (The .webp Exploit)
ฝัง
- เผยแพร่เมื่อ 30 ก.ค. 2024
- 👉 Free $100 Cloud Computing Credit
seytonic.cc/linode
0:00 Why webp is hated
1:15 How The Hack Works
2:42 Not just iPhones
3:20 Apple + Google’s Screwup
4:20 How NSO Found the Vulnerability
Sources:
www.malwarebytes.com/blog/new...
arstechnica.com/security/2023...
www.malwarebytes.com/blog/new...
www.rezilion.com/blog/the-cve...
www.rezilion.com/blog/rezilio...
stackdiary.com/critical-vulne...
blog.isosceles.com/the-webp-0...
#akamai #linode #ad @akamai @Andrew Stebbins
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - บันเทิง
Memes have never been more dangerous
You obviously didn't experience The Hamster Dance.
@@HunterHogan Open the gate, take it off it's hinges. Just give PSAs about Goatse Caramels...
lmao
Don't underestimate the power of Rick Ashley.
Listen, unless we can do an OTA update to patch our parents against racist memes they see on Facebook, memes have always been more dangerous. (And if we can, how? Pls tell me, pls. I beg of you).
Google makes an image format…and it becomes an exploit for very single piece of software that uses it. Phenomenal.
Big tech moment
Well that’s google for you
what comes next? registering a .zip tld?
It's already been proven that some software has backdoors that are disguised as exploits. I wouldn't be surprised if this was one of those.
@@iUUkk no doubt, but do you have official sources on that?
It sucks that this happened but on the other hand I'm glad my longstanding hatred of webp continues to be justified
real
There's actually no valid reason webp exists other than to annoy people who download images from the web
I have a chrome extension that automatically converts webps to jpgs and pngs, it’s actually really useful
@@-BigChungusanyone with half a brain can go to a website to convert file formats. You're not that unique.
1000% agreed brother
Webp files are the bane of my existence when I want a PNG file. Glad to know that there was a massive security issue with it.
#endwebp
there are some chrome extensions that allow you to convert webp to PNG before you download it
@@oliverz321 you can just rename any .webp file to a .png and it works. might also work with webp to other extensions but i'm not sure
when I see a webp I automatically get pissed off
Even if it's since 1997 im on the internet, I never had the necessity of working with webp, so can we let that format die?
plenty of those for PNG too
Google makes an image format.... Its used for malware... Google makes a domain "zip" and its used for malware.... Google is on a roll lol
they're not very smart over at google - i think it's time that faang becomes faan, or fana, or whatever i don't really care. all i know is that google is full of idiots especially at the higher levels
Damn it's always the NSO Group. I have to say as cool as this is, I hate the NSO with a burning passion, I was hoping it would be some hobbyist security geek who came up with this :(
To be fair, it probably was, and they sold it to the NSO who then claimed credit for it, plausible deniability for the finder and more money than the bug bounty that it might have been eligible for.
@@dennis8196Bug bounties are a fucking joke who would turn in a bug for 10k when you would sell it to Russians for 500
@@dennis8196 that would make a lot of sense
At least NSO group is helping expose the vulnerabilities sooner rather than later.
qrd? what's the problem with NSO group?
For what it's worth, discord was never vulnerable due to multiple reasons. This was also likely true for multiple of the named programs. People just saw webp and panicked without doing any research other than "is the file type there? then it's vulnerable". Not to mention the ones that where vulnerable mostly all got patched before the chaos started anyway.
I'm not reading that
Alright I read it
@@internet_userr you that read wrong
@@internet_userrname checks out
You and discord should get a room
I would totally get hacked by that image in the thumbnail tbh
It hacked my brain on see.
How can Google make a photo file format and not even make it compatible with their OWN APPLICATIONS
Google giving birth to another exploit? No way. 🤣
Can we stop using new file formats that offer no advantage except a free backdoor?
Stop blaming google for everything... Software is bound to have vulnerabilities. No matter if it's made by Google or by Joe.
They didn't "give birth" to it. It was found by someone auditing the code.
@@DudeSoWinthe only good thing with webp is that it's better for storage
@@DudeSoWinfrom what I can tell there is advantages though
In reality, google's products are most secure in the world... actually security is a joke in most MNCs
especially when MNCs are deploying collage freshers to critical production environment for saving money, what else to expect....
The lack of a heads-up by Apple and Google (both PR/SM-partners) isn't suspicious at all.
it’s 2023 and we’re still getting new buffer overflow bugs in major software. you would’ve thought that we had done something systematic about it by now, but no. ”i’m clever enough, so it’s fine for me to write this software in a memory unsafe language and not use any static analysis tools to verify this“ still seems to be a prevalent mindset and people still trust people who does that for some reason
There's a programming language that aims to prevent most memory unsafety bugs; it's somewhat new but it constantly grows in popularity. To my knowledge, the Rust library for decoding webp was not affected :)
@@Gramini yep, i assumed as much. i was explicitly thinking about rust when writing this comment.
most programming languages are memory safe, but they also use a garbage collector, making them less well suited for high performance libraries like an image format codec, so rust would clearly be the best fit
The practices required to avoid this kind of bug (and related crashes) in languages like C are not difficult to implement.
Bros not a coder
@@shardnugget who is not a coder?
Me with thousands of .webp images saved on my computer: *gulp*
Honest question: Why do you have them saved as .webp? Has this any advantage? I always hate it, when i want to download an image and its .webp ^^
@@MyDarkKnightRisesWhenISeeU Many websites now, such as Reddit, only give that format. So if you try to download an image, that might be your only option. Sites like Twitter are starting as well. Whenever and however possible, I do try to avoid it but it's starting to become a point where it's the only option. Truthfully, the low file size does greatly help storage space on servers/networks, but the quality takes a hit. If I really care, I'll find a way. If it's just something to save, I could care less.
@@MyDarkKnightRisesWhenISeeUwatch the video.
@@MyDarkKnightRisesWhenISeeUThey're a lot smaller than the 30 year old formats it intends to replace
@@MyDarkKnightRisesWhenISeeUyeah same because I can't resend it then
Images running code. Something nobody asked for, wanted, or needed. Why do I get the impression security is never going to get any better?
It's not like that was a feature or anything. It was just a (critical) bug in a library that decoded the format, that could lead to code smuggling/code execution.
everything needs to be fully sandboxed, viewing image on discord should NEVER be able to breach outside of discord. the security of our systems are a joke @@Gramini
It's not like that. It's on the decompression mechanism. It's a total fine image, and the display of it doesn't kill, but some buffer of IoP there has code that scapes the permitetted and then gets executed. I agree with both commenters above me tho, although this would not suffice, as there are jailbreaks for a reason. They would exploit the decoder and then the venv. That's why even VirtualBox and other venvs are not 100% secure. There are malware that search for venvs to break or yeet itself.
@@apache937webapps have been a disaster for the human race. You use discord you are using their spyware. No ones to blame but yourself.
@@apache937because corporations keep “kitchen sinking” everything they get their hands on. “Let’s make a new platform, but make it more vulnerable to attack. What could go wrong?”
Also there is the objectively superior format jxl, which is royalty free and backwards compatible but Google being Google decided to drop support for it for chrome because it's their anticompetitive practices. Don't be evil.
What about AVIF which has better compression than WebP and is also royalty free? AVIF is also supported on chrome
my reason for hating webp is because I use blender, and when I need to import reference images, they're just not supported at all. PNG is far better in this case
use image paste. its a life saver
JpegXL ftw!!!
Another excellent video. Nice work 👍
It took me 10 minutes to be able to even view this video.
Thanks TH-cam, for FORCING me to view all of those scam and/or gambling ads.
I really wish there was a comparable alternative. Until there is, I guess I'll just have to go on without watching videos on TH-cam.
I HOPE that TH-cams anti-adblocking ends up killing the platform.
Ads are EVERYWHERE, in stores, on the streets, at bus stops, on TV, in every single app.
I'm ALREADY paying for contacts to even be able to see, why the F do I have to pay AGAIN to be able to be able to see stuff without ads?!
TH-cam reported 29.2 BILLION dollars of revenue last year. Forcing ads on us an blocking people with adblockers is just forking GREEDY.
If TH-cam wants me to buy "Premium", at least make it worth the money! $13.99 a month, just to not be constantly be exposed to scam and gambling(same thing) ads is ridiculous!
At LEAST give me something of value for that money.
I am on lbry :)
@@Seytonic hadn’t heard about it until now! Great to know I can view your awesome content somewhere else!
I love your videos man!
Keep doing what you do, you’re awesome!
Can't believe you don't know Rumble
Forcing? You can skip the ads after 5 seconds. And if you wait 30 seconds before skipping, the TH-camr will get their money even without you watching the whole ad.
Unlock origin on browser and revanced on android both completely free and open source I've not seen a TH-cam ad in years.
Watched your ad purely because you put it at the end. Thank you for that.
I love that you used the Cat as an Example XD
Always on point! 💪🏼
I swear to god, the only utility of the webp format is to give work to do to people developping websites to convert them
That's one of the reasons I hate them so vehemently. If you're not converting a lossless or much higher quality image to webp, then you're losing image quality to convert instead of just using what you already have. Far too many people don't seem to understand this and all the webp images I've found had a lower quality image because of it.
@@anon_y_mousse And yet webp is getting more traction simply because being able to decrease the average size of an image by 10-15% over other formats is potentially millions worth of savings. The most expensive thing for a website or a service is literally bandwidth.
Apart from reducing file size by around 60%, saving massively on storage and transmission size/cost/time.
and to make the web loading time on cellular data 50% faster, thats the main reason it was developed
@@Gramini And to point it out again, if it's not an original image that will lose image quality.
that exploit has been around for a looooong time 😂
Well yeah..
Yes? Do you not know what a zero day is?
@@featheroml dude - yes. Zero days, that the bug is known(public).
This has been known public
Like 10-9 months
@@beastfr0meast93no zero day means the company that makes the software ex Google is oblivious to the fact that the bug exists.
Beluga is trying to hack you 😂
I had to double take at the channel lol
Hecker took the channel 💀
I’m sure he was just trying to send his picture directly to a girls iPhone and it turned into a malware for all phones
3:50
Rust on a buffer overflow vulnerability list.
When safe ain't safe, just be careful. 🤣🤣🙃
Was curious about that as well. Given that the text about it mentions "the vulnerable library" I guess it's just Rust bindings to the C-library libwebp. There's also a pure Rust library for webp.
@@Gramini Apple & Google was mum about it. They cutting edge corps. that like to hide their faults. Not a stretch to think it was the actual Rust lib since their logo was up with the others. They'll sue devs for wrong colors, they'll sue that site for libel & whatever else if it wasn't true.
Oxidized brains won't shut up about Rust until they see something like that. And they squirm inside their soul when they see a oxidized program segfault.
As a Rust developer, I'm kind of confused, it should not be possible unless using unsafe Rust or C bindings (which are also unsafe)
I ain't a dev just to be clear. I just know from what I've experienced, it "shouldn't" be on the list like it is. That list seemed specific to me. Also, I acknowledge there are missing details & ambiguity to the problem being in "safe" Rust specifically.
I saw it, my brain giggled, then I wrote 🤷🏿♂️
If you're on windows you can open webp images in paint and then save it as a normal image btw
Doesn't that trigger the exploit too? (I mean loading and parsing the WEBP into MSP memory)
@@Rudxaini don't think so because only thing paint can do is view and edit images and nothing else.
@@akurasubject9617 The problem is exactly that. The exploit allowed the hacker to insert malicious code into the software reading the image, and making it do things it wasn't supposed to do, like installing a malware.
ah the good times of webp's crashing your discord app
Discord is cancer anyway...
Discord already patched it btw
hey i emailed seytonic about this webp exploit Fri, Sep 29! no way!
Good job!
He probably already knew about it.
Beluga being the center of the problem 😂😂😂😂
Google Voice doesn't support them either. I use it for texting from my computer and it's annoying having to convert webp images to png.
That's cruel how could they hack people with beluga cat image? Did they stop using those xxxx site?
Well this is (once again) terrifying.
Often when I download an image from Facebook Messenger, it downloads as a webp, then when I try to send it to someone, Messenger says it's not a compatible file format and also seems to think it's a gif too.
Wait… you had .webp > png but the thing you mentioned was that they support transparency, like png. Why is it better than png?
Also, every image format has better compression than jpeg
webP has better compression + smaller file size with same image quality
because it also supports animation. Which APNG already does, it's just not very well implemented.
Webp is still dogshit. Every time I download an image and it turns out to be a webp i want to throw my computer through Google HQ's doors
@@alfie67 png has lossless compression. The animation answer makes sense though
@@alfie67So does JXL while being better in every other category as well.
i saw a guy named Text to Speech make a video about this and how it related to discord. haven't watched this vid but wasn't this patched roughly a week ago, or has it appeared as something different?
When you say tor is vunerable i assune you mean the browser bundle? So does that mesn firefox too, or domething the tor foundation swapped out?
It seems like every week NSO Group is being said to have gone dark and then comes back with no explanation whatsoever... I don't get it... are they shut down or not? :/
Outside of a web browser I still can't view animated webp files. Conversion sites cause the file to bloat up as well. So it's still a basically useless format.
they arent bloating up, webp had them compressed
@@128Gigabytes if I didn't have to convert them to view/send them animated they wouldn't bloat up.
So is it zero click? Or would the user be required to actually add a random pass to their wallet sent from a random person?
IIRC the prepared image just needs to be decoded. So it depends on the targeted app if it requires a click/action for the image to show or not.
@@Gramini copy that, thank you. By the looks of the screenshot in the video the cat pic didnt appear in the imessage preview of the pass
No accident that they didn't report it. My guess is they knew state sponsored groups were using the exploit
Exactly. As pro privacy as apple touts, i bet they know about us government spying methods that they could thwart if they wanted
Critical security vulnerabilities are always intentionally kept under wraps for months or even years due to government agencies using them. The US in particular does this a LOT.
Who do you mean with "they"?
The NSO Group? Of course they wouldn't report it, they are/were actively exploiting it…
Google? They didn't knew and fixed it once reported…
Would be nice to know what dates this was a problem. And what to remove if somehow it through....
The internet can be scary place...
As a web dev I can with 100% certainty tell you - Yes, it god damn is. Just deep dive into some open-source analytics and tracking software, then realise closed-source big-tech solutions are even worse.
Yet again google ruins everything.
Google intentionally used it to fuck over microsoft
yep
For both WordPress, Nodejs and Ruby on Rails developers, this is kinda concerning. But if we will not allowed webp format on user post system, maybe it will gonna fine for a while.
Is there a CVE number or something else which actually explains how this exploid works?
The hacked person is called Ahmed Tantawi.. and he was about to be a president
2:13 " Pegasus can track your location, read your messages and call logs, and activate your microphone and camera..." Isn't this what apple and google does anyway? and ever app installed on these OS's?
So can your mom if you don't get the point.
Yes. Difference is, Google and Apple hands your data to advertisers. Pegasus hands your data to authoritarian governments.
One is far more worrisome than the other if you are a journalist, researcher, activist or express any political dissent.
Exactly, like I’ve got nothing to hide bozos, so can spy on me with your little camera like a creepy ass dude if you want
@retro-porygon I agree. Advertisers can be relentless.
@@retro-porygon they do give it to governments if they request it stop talking your bs
Getting sponsored by akami is crazy 😭
Has google ever developed something that didn’t make hacking easier? First there’s the new TLDs (.zip for example) and now this?
I found out Google domains has died from that b-roll footage 💀
No way memes are becoming more dangerous.
This is not the first time this has happened and I'm not surprised it happened again
like a secret weapon, polite but deadly
Never waste the chance of turning a crisis into an opportunity: time for devs to deprecate the most annoying file format for good in all platforms. It's a security threat.
If the malware turns out not to be exclusive to webp, at least we get rid of webp, that is something.
What's wrong with webp? Aside from the vulnerability of course (since it is patched on most platforms now). Seems a little silly to move back to more inefficient formats. It's not like webp is a closed standard.
The future is AVIF a AV1 product
Bro hating on webp kinda cringe
Yes, please get rid of gif, it's so annoying to deal with. But I wouldn't call it a security thread.
If you watched the video you'd know that the problem was not webp, but libwebp, a somewhat common library to decode such images. The format itself is perfectly fine.
@@Meck5531Avif will probably be overshadowed by jxl. Jxl is faster at en/decoding, retains better quality, supports progressive loading and gets better compression ratios
Jxl > avif > webp > png, jpeg, gif
the other thing about being black hat and selling a zero day to bad actors is you have to trust they'll actually pay you 20mil
Here is how great the education system is (Sarcasm intended). I get in trouble at school for trying to save my grandmother from this attack. The school I go to, the majority of people live in very nice and expensive homes (Except for me and a few other students) so they LITERALLY expected me to allow my grandmother get hacked, and then I get in trouble with them if I don't do what they want so I can waste 1500 dollars on another computer that is completely unnecessary. Just awesome.(Sarcasm intended again)
Are there any video formates that do it?
In short, hecker hecked Beluga.
THANKS GOOGLE! Man, I can't help but feel google an apple should be fined by the FCC or something for this
That's Beluga. Damn it hecker!
blud hecked the channel no way 💀
Can we rename the file extension to .welp ?
IOS is not secure At one time it was very secure but popularity brings malice as you mentioned. I have seen the most recent ios exploit in action twice in the past six months. Apple claims to have patched this in the most recent update but I still have concerns as this is the same exploit they claimed to have patched previously
Insane ramblings
they truly are@@gnome6671
Funny, Google always creating formats that carry malware
This is why I subscribe.
I wonder if you could use this to jailbreak a phone?
Surely they are using these exploits on "bad guys", right guys?
Absolutely. Only the "bad" guys. And by bad, they mean everyone and anyone they want.
beluga hacking the world
beluwuga. can't not click
Finally, TH-cam sends it to me on time
I don’t find the danger in that photo
wow beluga called hecker
Well, I'd rather get hacked by a polite cat than a rude one...
When was this vulnerabilty patched?
like a month or two ago
Beluga out there causing trouble...
How about some prominent popular webp viewer is made (from the same hacker group) to run the code - even if the vulnerability have been "patched", and nobody suspect it?
Separate viewer for webp? Why would anyone want to install that anyway?
@@enosunim I didn't say "separate viewer for webp". Any popular viewer which support webp.
@@LyubomirIko OK, you mean a generic viewer with webp support. Who would need that anyway? Too low quantity of users. Also doesn't that mean that author will reveal himself, when will propose this soft? Why not to include backdoor from the beginning then?
You should understand that those kinds of exploits are very tricky to run, code should be optimized for certain group of devices. While this method is OK to jailbreak iPhone, as you can create exploit for several device versions, while having the device at hand, it is not so much reliable when you attack generic computers, which may be really different. And if you program is not cross-platform, then no purpose at all. May be only to became the most popular image viewer, but will you need to exploit someone after that? If you do, your rating will hit the floor.
@@enosunim I especially need such viewer with webp support - I have installed and try dozen of those apps both on my Linux, Windows and Android devices. Some, if not most viewers actually still doesn't support webp.
There is also ton of other exotic file types that can too be obviously used as a backdoor.
And almost all of those apps will connect the creator for the so called "anonymous crash reports" and for "new update checks".
Asking me why, how etc doesn't make sense. This video is a proof it is already implemented and that there is many spy/hacker groups working on this.
@@LyubomirIko this video is just a generic yt vid. Like "hey you should watch this, and all ads too pls". But actual problem is inside a library, not a viewer program. And except iphone jail-breaking there is no other existing known cases. So you may sleep well.
Actually I use Linux Mint, and I use some generic viewer, I do not know even how it is called. It opens webp with no problem. So I still do not know, why do you need some other unknown client for images.
Also I stated that, why not create any just any program with backdoors inside. It is a good idea anyway(no). Much more reliable, then trying to exploit webp library(yes).
They are compatible with ms paint and they were since the start.
Who in the google building made webp?
i hope this means that the cat image will be seen as the personification of malice because i hate it
I bet NSO was PISSED when he got the exploit patched. I wouldn't be surprised if they put a hit out on him, Mostly because their shitty exploit got patched.
I bet they have a plan B, C, D and E.
Yes, I have ae 2020 still and webp got me mad bro 😭
I'm not sure what's worse, that people still write buffer overflow bugs in 2023, or that they can still result in arbitrary code execution on a modern system.
Malware makes a return!
Europe: _See, closed source security is going great?
webp isn't closed source though?
@@HyBlock sometimes Google's form of open-source feels like a malicious compliance.
Even tho it's open-source, the methodology of fixing and not reporting these issues is the same way if a closed-source OS does the same and then never reports the issue to anyone else.
I am concerned because I was just sent an image from an unknown number while watching
just change the extension to .png
I think companies like dot webp images precisely because they are hard to work with... It keeps images from being reused without consent.
Of course nothing loading up in paint and saving as a jpeg can't fix
No, it's because it makes for smaller file sizes and therefore is cheaper to host and deliver, stop spreading misinformation please
@@carlosnava1471 it doesn't have to be a binary thing. I have known many web developers and have built pages in Word press and Drupal, and while I personally haven't been asked, have heard of clients on more than one occasion with concerns over their images being reappropriated. Webp makes that slightly less convenient and has those other benefits to an extent also
The description includes a link to Linode, not Akamai
Linode was acquired by Akamai, they're still integrating the service. So the links remain as Linode for now :)
i hate webp files so much its unreal
Your sponsor link redirects to Linode, not Akamai.
Akamai acquired Linode and now they're slapping their brand everywhere on Linode. This was most probably a Linode sponsorship which got changed into Akamai after the acquisition
yea it is a bit confusing, but as above, Akamai acquired linode :)
4:30 Man, they must get paid well!!!
Didnt Akamai buy out Linode?
Yes
When you're downloading an image, if its a webp, I'm pretty sure you can just replace the .webp file extension with .png/.jpg/.jpeg.
It only changes the name, not the content inside, meaning that a webp renamed to a png is still a webp.
Google just can't produce something that doesn't have vulnerable flaws. 😑
Me, who convert the webp to png online before downloading: I do not possess that weakness~
@beluga what do you have to say..?
is google the one that wrote libwebp ? i mean, considering that it's a library for webp that's sounds like it's used a lot based on this video, then i would guess that it is but... on the small chance that it's not, then wouldn't it be wrong to say that this is google/webp's fault like everyone in the comment section is?
and even if libwebp is made by google, then as long as it's purely a problem with the library's implementation itself and not the image format (which sounds like how it is because this video says that it's just a buffer overflow issue), then it's still not a problem with the webp image format itself, which i also see a lot of people hating on in this comment section.
also, i still don't really know much about webp, i've only found out about it very recently somehow, so i don't really know it's shortcomings besides that it was barely supported anywhere. besides that, all i've heard are that webp is actually _better_ than jpg/png in terms of memory usage, so isn't it actually good??
i'm quite curious now, is the only reason that everyone hates it so much is because it's not supported on most platforms?
i am still lacking many information about webp and the exploit itself though so ples go easy on me if i make any dumb statements or something in here xD
blud wrote an whole ass essay 💀
Jpeg XR for the win
That cat is NOT polite! He hacked my father
that cat looks very content
I'm never going on fandom ever again