The Insane Bug that Allowed Hacking via a Picture

TLDRDid you know that a picture can be used to hack your device? This video discusses a bug in the lib webp library that allowed remote code execution on iPhones. The bug was used by the NSO group for remote exploitation. The bug went unnoticed for a long time due to its complexity. It has since been patched.

Key insights

:warning:A bug in the lib webp library allowed remote code execution on iPhones.

:earth_americas:The bug was used by the NSO group for remote exploitation.

:bulb:The bug went unnoticed for a long time due to its complexity.

:desktop_computer:The bug was patched in the latest versions of web browsers.

:file_folder:Old versions of libraries may still contain this bug, posing a risk to systems using them.

Q&A

How did the bug allow remote code execution?

The bug allowed the creation of a buffer overflow in the lib webp library, resulting in a double free. This could be exploited to take control of the device.

Was the bug actively exploited?

Yes, the bug was being used by the NSO group for remote exploitation on iPhones.

Why was the bug not caught earlier?

The bug was difficult to reproduce, making it hard to detect through traditional methods like fuzz testing.

Has the bug been patched?

Yes, the bug has been patched in the latest versions of web browsers.

Are old versions of libraries still at risk?

Yes, systems using old versions of libraries may still be vulnerable to this bug.

Timestamped Summary

00:00Introduction to a bug in the lib webp library that allowed remote code execution on iPhones.

01:23Explanation of how the bug worked and its implications.

03:40Discussion on why the bug went unnoticed for so long.

05:57Information on the patching of the bug in recent versions of web browsers.

07:34Warning about the potential risk of systems still using old versions of libraries containing the bug.