Memes have never been more dangerous

Google makes an image format…and it becomes an exploit for very single piece of software that uses it. Phenomenal.

It sucks that this happened but on the other hand I'm glad my longstanding hatred of webp continues to be justified

Damn it's always the NSO Group. I have to say as cool as this is, I hate the NSO with a burning passion, I was hoping it would be some hobbyist security geek who came up with this :(

For what it's worth, discord was never vulnerable due to multiple reasons. This was also likely true for multiple of the named programs. People just saw webp and panicked without doing any research other than "is the file type there? then it's vulnerable". Not to mention the ones that where vulnerable mostly all got patched before the chaos started anyway.

Webp files are the bane of my existence when I want a PNG file. Glad to know that there was a massive security issue with it.

I would totally get hacked by that image in the thumbnail tbh

Google makes an image format.... Its used for malware... Google makes a domain "zip" and its used for malware.... Google is on a roll lol

How can Google make a photo file format and not even make it compatible with their OWN APPLICATIONS

it’s 2023 and we’re still getting new buffer overflow bugs in major software. you would’ve thought that we had done something systematic about it by now, but no. ”i’m clever enough, so it’s fine for me to write this software in a memory unsafe language and not use any static analysis tools to verify this“ still seems to be a prevalent mindset and people still trust people who does that for some reason

The lack of a heads-up by Apple and Google (both PR/SM-partners) isn't suspicious at all.

Google giving birth to another exploit? No way. 🤣

my reason for hating webp is because I use blender, and when I need to import reference images, they're just not supported at all. PNG is far better in this case

Images running code. Something nobody asked for, wanted, or needed. Why do I get the impression security is never going to get any better?

Me with thousands of .webp images saved on my computer: *gulp*

It took me 10 minutes to be able to even view this video. Thanks KZbin, for FORCING me to view all of those scam and/or gambling ads. I really wish there was a comparable alternative. Until there is, I guess I'll just have to go on without watching videos on KZbin. I HOPE that KZbins anti-adblocking ends up killing the platform. Ads are EVERYWHERE, in stores, on the streets, at bus stops, on TV, in every single app. I'm ALREADY paying for contacts to even be able to see, why the F do I have to pay AGAIN to be able to be able to see stuff without ads?! KZbin reported 29.2 BILLION dollars of revenue last year. Forcing ads on us an blocking people with adblockers is just forking GREEDY. If KZbin wants me to buy "Premium", at least make it worth the money! $13.99 a month, just to not be constantly be exposed to scam and gambling(same thing) ads is ridiculous! At LEAST give me something of value for that money.

Also there is the objectively superior format jxl, which is royalty free and backwards compatible but Google being Google decided to drop support for it for chrome because it's their anticompetitive practices. Don't be evil.

I love that you used the Cat as an Example XD

Watched your ad purely because you put it at the end. Thank you for that.

If you're on windows you can open webp images in paint and then save it as a normal image btw

Another excellent video. Nice work 👍

Yet again google ruins everything.

hey i emailed seytonic about this webp exploit Fri, Sep 29! no way!

The internet can be scary place...

For both WordPress, Nodejs and Ruby on Rails developers, this is kinda concerning. But if we will not allowed webp format on user post system, maybe it will gonna fine for a while.

I swear to god, the only utility of the webp format is to give work to do to people developping websites to convert them

Beluga is trying to hack you 😂

3:50 Rust on a buffer overflow vulnerability list. When safe ain't safe, just be careful. 🤣🤣🙃

Google Voice doesn't support them either. I use it for texting from my computer and it's annoying having to convert webp images to png.

It seems like every week NSO Group is being said to have gone dark and then comes back with no explanation whatsoever... I don't get it... are they shut down or not? :/

that exploit has been around for a looooong time 😂

Well this is (once again) terrifying.

Beluga being the center of the problem 😂😂😂😂

2:13 " Pegasus can track your location, read your messages and call logs, and activate your microphone and camera..." Isn't this what apple and google does anyway? and ever app installed on these OS's?

ah the good times of webp's crashing your discord app

Outside of a web browser I still can't view animated webp files. Conversion sites cause the file to bloat up as well. So it's still a basically useless format.

Here is how great the education system is (Sarcasm intended). I get in trouble at school for trying to save my grandmother from this attack. The school I go to, the majority of people live in very nice and expensive homes (Except for me and a few other students) so they LITERALLY expected me to allow my grandmother get hacked, and then I get in trouble with them if I don't do what they want so I can waste 1500 dollars on another computer that is completely unnecessary. Just awesome.(Sarcasm intended again)

THANKS GOOGLE! Man, I can't help but feel google an apple should be fined by the FCC or something for this

Wait… you had .webp > png but the thing you mentioned was that they support transparency, like png. Why is it better than png? Also, every image format has better compression than jpeg

Always on point! 💪🏼

No accident that they didn't report it. My guess is they knew state sponsored groups were using the exploit

Discord already patched it btw

So is it zero click? Or would the user be required to actually add a random pass to their wallet sent from a random person?

I'm not sure what's worse, that people still write buffer overflow bugs in 2023, or that they can still result in arbitrary code execution on a modern system.

Never waste the chance of turning a crisis into an opportunity: time for devs to deprecate the most annoying file format for good in all platforms. It's a security threat. If the malware turns out not to be exclusive to webp, at least we get rid of webp, that is something.

the other thing about being black hat and selling a zero day to bad actors is you have to trust they'll actually pay you 20mil

This is not the first time this has happened and I'm not surprised it happened again

I found out Google domains has died from that b-roll footage 💀

Getting sponsored by akami is crazy 😭

In short, hecker hecked Beluga.

When you say tor is vunerable i assune you mean the browser bundle? So does that mesn firefox too, or domething the tor foundation swapped out?

Funny, Google always creating formats that carry malware

That's Beluga. Damn it hecker!

No way memes are becoming more dangerous.

Has google ever developed something that didn’t make hacking easier? First there’s the new TLDs (.zip for example) and now this?

IOS is not secure At one time it was very secure but popularity brings malice as you mentioned. I have seen the most recent ios exploit in action twice in the past six months. Apple claims to have patched this in the most recent update but I still have concerns as this is the same exploit they claimed to have patched previously

The hacked person is called Ahmed Tantawi.. and he was about to be a president

I think companies like dot webp images precisely because they are hard to work with... It keeps images from being reused without consent. Of course nothing loading up in paint and saving as a jpeg can't fix

That's cruel how could they hack people with beluga cat image? Did they stop using those xxxx site?

Google just can't produce something that doesn't have vulnerable flaws. 😑

As someone who's never stood for .webp files, those girls in high school saying "I just had a gut feeling" don't seem so crazy now

I bet NSO was PISSED when he got the exploit patched. I wouldn't be surprised if they put a hit out on him, Mostly because their shitty exploit got patched.

Surely they are using these exploits on "bad guys", right guys?

Well, I'd rather get hacked by a polite cat than a rude one...

Beluga out there causing trouble...

Typical Google. Reinvents what doesn’t need reinvention & makes it vulnerable at the same time. Great job!

Often when I download an image from Facebook Messenger, it downloads as a webp, then when I try to send it to someone, Messenger says it's not a compatible file format and also seems to think it's a gif too.

They are compatible with ms paint and they were since the start.

Europe: _See, closed source security is going great?

I don’t find the danger in that photo

4:30 Man, they must get paid well!!!

Finally, KZbin sends it to me on time

Dude, if you're going to be using a massive exploit in an image file, why not use Smile Dog? It's THE cursed image, and it's not like it matters what the image is from an execution standpoint, anyway.

you didnt need chrome to open webp you just needed an image suite like nomacs

How about some prominent popular webp viewer is made (from the same hacker group) to run the code - even if the vulnerability have been "patched", and nobody suspect it?

i saw a guy named Text to Speech make a video about this and how it related to discord. haven't watched this vid but wasn't this patched roughly a week ago, or has it appeared as something different?

I am concerned because I was just sent an image from an unknown number while watching

wow beluga called hecker

Malware makes a return!

You need to convert webp to jpg or png first then you can insert it into video editing software like Vegas. So, yeah. I hate webp.

i hate webp files so much its unreal

Would be nice to know what dates this was a problem. And what to remove if somehow it through....

Is there a CVE number or something else which actually explains how this exploid works?

just change the extension to .png

When you're downloading an image, if its a webp, I'm pretty sure you can just replace the .webp file extension with .png/.jpg/.jpeg.

Who in the google building made webp?

i hope this means that the cat image will be seen as the personification of malice because i hate it

That cat is NOT polite! He hacked my father

Me, who convert the webp to png online before downloading: I do not possess that weakness~

that is why I dont let my users upload the image directly

Yes, I have ae 2020 still and webp got me mad bro 😭

I'm never going on fandom ever again

So I also learned that Akamai is legit. And, like with guns and roses, you can either plant a garden or scar someone. Money is nice and all, but greed for potential malice and $20,000,000 more is all-consuming. In the end, greed kills itself, and the host with it. *Pun completely intended*

This is why I subscribe.

0:35 Hmm I don't know if "wet pee" is that awesome. xD

btw discord uses a safe version of libwebp

The first thing I do with .webp images is convert them.

Are there any video formates that do it?

beluga is getting more powerful

Besides google being evil and there being a non-zero chance this has was malicious from the start, I fucking hate WebP and WebM. What's wrong with PNG? it's soo much better.