This image Can Hack You (The .webp Exploit)

Seytonic
9 Oct 202305:37

TLDRState-sponsored hackers have exploited a vulnerability in the .webP image format to compromise iPhones by embedding malware within images. This issue affects not only iOS but also a wide range of software that uses the libwebp library to handle .webP images, including Chrome, Discord, Microsoft Teams, Slack, Skype, Gimp, Signal, and TOR. NSO Group, a notorious spyware developer, discovered this vulnerability and created BLASTPASS, an exploit chain that uses a malicious .webP image in an Apple Wallet pass shared via iMessage. The exploit was monetized through the Pegasus spyware suite, which offers extensive surveillance capabilities. The vulnerability was discovered by Citizenlab after a victim suspected a hack, leading to its reporting and patching by Apple. However, the root cause in the libwebp library was not publicly disclosed by Apple or Google, leaving many developers unaware. The buffer overflow vulnerability is difficult to exploit, limiting its use to sophisticated actors like NSO's Pegasus. The video also discusses the lucrative market for such vulnerabilities, with high rewards for those willing to sell to the highest bidder, including authoritarian governments.

Takeaways

  • 📱 State-sponsored hackers have exploited iPhones by hiding malware in images.
  • 🔍 The vulnerability affects more than just iOS devices.
  • 🖼️ The root cause is the .webP image format, developed by Google in 2010.
  • 📈 Despite initial lack of support, .webP has doubled in popularity over the past year.
  • 🌐 NSO Group, a leading spyware developer, discovered a vulnerability in how webp images are handled on iPhones.
  • 💥 They created BLASTPASS, an exploit chain that uses a malicious .webp image within a special Apple wallet pass.
  • 🤫 Victims are unaware when the malicious code is executed after receiving the pass via iMessage.
  • 🛡️ Pegasus, NSO Group's spyware suite, includes BLASTPASS and offers extensive surveillance capabilities.
  • 🔑 The vulnerability is not iOS-specific but lies in the libwebp library, affecting a wide range of software.
  • 🔄 Apple and Google both patched their software but did not publicly attribute the issue to the libwebp library.
  • 🛑 The buffer overflow vulnerability is difficult to exploit, limiting its use to sophisticated attackers like NSO's Pegasus.
  • 💰 Vulnerabilities like these can be found by teams of paid hackers or bought from traders on the dark web.

Q & A

  • What is the .webp image format and why was it developed?

    -.webp is an image format developed by Google in 2010 with the aim of becoming the leading image format on the internet. It offers better compression than JPGs, supports transparency like PNGs, and can be animated like GIFs.

  • Why has .webp had a history of being less popular despite its advantages?

    -.webp has been less popular due to limited support from major software and platforms. For a long time, Adobe software and Windows did not support it natively, and it was not compatible with Google Docs.

  • How has the support for .webp images changed recently?

    -Support for .webp images has improved recently, with Adobe software and the Windows Photos App now supporting the format. It has also doubled in popularity over the past year.

  • What is NSO Group and how did they exploit the .webp image format?

    -NSO Group is a leading spyware developer used by governments worldwide. They discovered a vulnerability in how .webp images are handled on iPhones, allowing them to hide malicious code within an image that would run on a victim's device when displayed.

  • What is BLASTPASS and how does it relate to the .webp exploit?

    -BLASTPASS is an exploit chain created by NSO Group that first exploits Apple Wallet to create a special pass containing a malicious .webp image. This pass is then shared with the victim via iMessage, executing the hidden malicious code.

  • What is Pegasus and how is it related to the .webp exploit?

    -Pegasus is a sophisticated spyware suite developed by NSO Group. It is bundled with the .webp exploit and can perform advanced surveillance functions such as tracking location, reading messages, emails, call logs, and activating microphones and cameras.

  • How was the .webp vulnerability discovered and addressed?

    -The vulnerability was discovered when a victim suspected they had been hacked and sent their iPhone to Citizenlab for analysis. Citizenlab reported the vulnerability to Apple, which then patched the bug.

  • Is the .webp vulnerability specific to iOS or does it affect other software?

    -The vulnerability is not specific to iOS. It exists in any software that uses the libwebp library to handle .webp images, which includes Chrome, Discord, Microsoft Teams, Slack, Skype, Gimp, Signal, and even TOR.

  • Why did Apple and Google not publicly report the root cause of the vulnerability?

    -Apple and Google did not publicly report the root cause being in the libwebp library, which many use, making it seem like it was an iOS-specific problem. They only patched their own software without giving others a proper warning.

  • How difficult is it to exploit the buffer overflow vulnerability in .webp?

    -The buffer overflow vulnerability in .webp is quite difficult to exploit, not easily done by script kiddies. Apart from NSO's Pegasus spyware, there are no other known instances of this being used in the wild.

  • How do companies like NSO Group find vulnerabilities like the one in .webp?

    -Companies like NSO Group find vulnerabilities through their teams of highly paid hackers or by purchasing them from traders in the legal market for zero-day exploits.

  • What is Akamai and what does it offer to cloud computing users?

    -Akamai is a connected cloud service that offers a variety of cloud computing solutions. It features an app marketplace that allows users to easily set up servers with pre-configured software.

Outlines

00:00

😨 State-sponsored Hackers Exploit iPhones with Malware Hidden in .webP Images

The video discusses a critical vulnerability in the .webP image format that has been exploited by state-sponsored hackers, particularly the NSO Group, to compromise iPhones. The hackers hid malicious code within .webP images, which would execute when the image was displayed on a victim's device. The exploit, known as BLASTPASS, was bundled with NSO Group's Pegasus spyware, which is capable of extensive surveillance once installed. The vulnerability was discovered when a victim suspected hacking and had their iPhone analyzed by Citizen Lab, who reported it to Apple. The bug was subsequently patched. However, the issue is not exclusive to iOS, as the vulnerability lies in the libwebp library, which is used by many software applications, including Chrome, Discord, Microsoft Teams, Slack, Skype, GIMP, Signal, and TOR. The video also criticizes Apple and Google for not publicly reporting the root cause of the vulnerability, leading to a delayed response in patching the issue across various software.

05:02

💰 Akamai Connected Cloud: The Swiss Army Knife for Cloud Computing

The video concludes with a sponsorship message for Akamai Connected Cloud, which is presented as a versatile solution for cloud computing needs. The platform is highlighted for its app marketplace that simplifies the process of setting up servers with pre-configured software. The video offers a special deal for viewers, providing a $100 credit for a 60-day trial to encourage them to try out the service. The host thanks the viewers for watching and teases the next video in the series.

Mindmap

Keywords

💡Malware

Malware refers to malicious software that is designed to infiltrate, damage, or perform unauthorized actions on a computer system or a network. In the context of the video, malware is hidden within .webp images and sent to victims, exploiting a vulnerability to compromise their iPhones.

💡.webp Image Format

.webp is an image format developed by Google in 2010, known for its superior compression compared to JPGs, support for transparency like PNGs, and the ability to be animated like GIFs. Despite its advantages, it has faced compatibility issues with various software and platforms. The video discusses a critical vulnerability in .webp that has been exploited for hacking.

💡Vulnerability

A vulnerability is a weakness in a system's design, which can be exploited by a threat actor to cause harm. The video highlights a specific vulnerability in the way iPhones handle .webp images, which allows for the execution of hidden malicious code when such an image is displayed.

💡NSO Group

NSO Group is a technology company known for developing spyware. In the video, they are mentioned as the discoverers of the .webp vulnerability and creators of BLASTPASS, an exploit chain used to deliver their spyware suite, Pegasus, through malicious .webp images sent via iMessage.

💡BLASTPASS

BLASTPASS is a term used in the video to describe an exploit chain created by NSO Group. It involves exploiting Apple Wallet to create a special pass containing a malicious .webp image, which, when sent to a victim via iMessage, executes the hidden code without the victim's knowledge.

💡Pegasus Spyware

Pegasus is a sophisticated spyware suite developed by NSO Group, often referred to as the 'Rolls-Royce of spyware.' As detailed in the video, once installed, it can track a target's location, read messages, emails, and call logs, and even activate microphones and cameras, making it a tool of choice for surveillance by authoritarian governments.

💡libwebp

libwebp is the library used by Apple and many others to handle the .webp image format. The video explains that the root of the vulnerability exploited by NSO Group lies within this library, affecting not just iOS but any software that uses libwebp, making a wide range of applications potentially vulnerable.

💡Buffer Overflow

A buffer overflow is a type of vulnerability that occurs when a program or process attempts to write more data to a buffer than it can hold. In the context of the video, the .webp vulnerability is a buffer overflow, which, while difficult to exploit, has been used by NSO Group's Pegasus spyware.

💡Citizenlab

Citizenlab is an interdisciplinary laboratory based at the University of Toronto focusing on issues related to technology, human rights, and global security. In the video, a victim suspected of being hacked sent their iPhone to Citizenlab for analysis, leading to the discovery of the .webp vulnerability.

💡Phishing Email

Phishing emails are a common method of delivering malware, where an unsuspecting user is tricked into opening a harmful attachment or clicking on a malicious link. The video suggests that the use of images like .webp in phishing emails could make it difficult for users to suspect malicious intent.

💡Zero-day Exploit

A zero-day exploit is a cyber-attack that occurs on the same day a vulnerability is discovered, before the software developer is aware of and has had the opportunity to patch the security hole. The video mentions that vulnerabilities like the one in .webp can be bought and sold, with high prices for zero-click exploits like the one NSO Group used.

💡Akamai Connected Cloud

Akamai Connected Cloud is a cloud computing service provider mentioned in the video as a sponsor. It is described as a 'Swiss army knife' for cloud computing, offering a marketplace for easily setting up servers with pre-configured software, which is relevant to the video's discussion on technology and cybersecurity.

Highlights

State-sponsored hackers have exploited a critical vulnerability in the .webp image format to hack iPhones.

The .webp format, developed by Google in 2010, offers better compression, transparency support, and animation capabilities.

Despite its advantages, .webp has historically faced poor support from major software and platforms.

.webp's popularity has doubled in the past year with improved support from Adobe and Windows Photos App.

NSO Group, a leading spyware developer, discovered a vulnerability in how iPhones handle .webp images.

NSO Group created BLASTPASS, an exploit chain that uses a malicious .webp image within an Apple wallet pass.

The exploit is executed when a victim receives a specially crafted iMessage containing the malicious .webp image.

Pegasus, NSO Group's spyware suite, has been bundled with BLASTPASS to monetize the exploit.

Pegasus can track location, read messages, emails, call logs, and activate microphone and camera on a victim's phone.

The vulnerability was discovered by Citizenlab after a victim suspected they had been hacked.

The root cause of the vulnerability lies in the libwebp library, which is used by Apple and many others.

The vulnerability affects a wide range of software beyond iOS, including Chrome, Discord, Microsoft Teams, Slack, Skype, Gimp, Signal, and TOR.

Apple and Google both patched their software but did not publicize the root cause in the libwebp library.

The buffer overflow vulnerability is difficult to exploit, limiting its use to sophisticated attackers like NSO Group.

The vulnerability has since been rectified after being publicized, providing relief to users.

Highly paid hackers or purchased vulnerabilities are how companies like NSO Group find and exploit such security flaws.

A Russian zero-day vulnerability platform has offered a $20 million bounty for iOS zero-click exploits.

Akamai Connected Cloud is highlighted as a sponsor, offering a comprehensive cloud computing solution with a $100 60-day credit for new users.

Casual Browsing

Use THIS Free AI + GIMP Hack to Remove Image Backgrounds In SECONDS

2024-04-05 09:25:00

Can This A.I Give You CATCHY MELODIES? | MelodyStudio

2024-04-27 12:30:01

How to convert WebP to JPG image file

2024-04-21 19:55:01

How to convert WebP to JPG image file

2024-04-21 20:10:01

This Faceless Instagram Side Hustle Can Make You $30k/Month

2024-03-29 08:20:00

JPEG, PNG, SVG, OR WEBP? How the Right Image Format Makes Your site FASTER!

2024-04-21 20:15:01