This image Can Hack You (The .webp Exploit)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello world state sponsored hackers have been compromising iPhones by hiding malware in images and then just sending those images to the victim but it gets worse because this critical vulnerability affects a hell of a lot more than just iOS this is really pretty bad the root of the problem webp an image format that has a bit of a history of being hated Google developed webp back in 2010 with the aim of it becoming the number one image format used on the internet these things have better compression than jpeg support for transparency like pgs and can be animated like gifts on paper webp is awesome but if you've ever downloaded a web PE image you've probably had a bad experience because other than major browsers hardly anything seems to support them for the longest time no Adobe software worked with them on top of that you couldn't even open them natively in Windows so you were forced to open them in Chrome and they're not even compatible with Google Docs despite Google quite literally having developed the image format it's a strange situation but instead of joining the long list of projects killed by Google webp has doubled in popularity over the past year and support for them is getting better Adobe software now works with them as well as the windows photos app finally but someone else also added supports for webp images the world's leading spyware developer loved by governments worldwide NSO group these guys discovered a vulnerability in the way webp images are handled on iPhones they figured out that they could hide malicious code within a web P image which would then run on a victim device when the image was displayed to exploit this in practice NSO group created something that researchers are calling blast pass an exploit chain which first exploits Apple wallet to create a special pass which contains that malicious webp image then this pass is shared with the victim via iMessage and as soon as they receive it the malicious code hidden in the image is executed with the victim being totally unaware of what just happened and in order to monetize blast pass NSO group bundled the exploit in their Infamous spyware Suite Pegasus Pegasus is simply put the Rolls-Royce of spyware screenshots linked a couple years back revealed that once it's installed on your phone Pegasus can track your location read your messages emails and call logs and activate your microphone and Camera pretty much everything you'd want in advanced spyware making it the go-to choice for authoritarian governments worldwide but unfortunately for NSO group they're going to have to come up with a new exploit because after a victim who isn't being named suspected that they'd been hacked they sent their iPhone to be analyzed by citizen lab who discovered the vulnerability reported it to Apple and the bug was patched but the story doesn't end there because this vulnerability in web PE images isn't actually an iOS specific problem but rather the vulnerability exists in pretty much all software which supports webp images because the root of the problem is lib webp the library that apple and pretty much everyone uses in order to hand handle the webp image format so the list of software goes Way Beyond just iOS there's Chrome Discord Microsoft teams slack Skype signal and even tour I mean the list of software is likely in the millions all of which were made potentially vulnerable to a very lucrative attack Vector I mean would you suspect an image you received in a fishing email would be malicious to make matters worse Apple made the fatal error of not publicly reporting the vulnerability's root cause as being in that Library which everyone users but rather Apple just made it seem like it was an iOS problem Google when they found out about the bug did the exact same thing they patched their own software but didn't give everyone else a proper heads up thanks to Apple and Google we had a situation where weeks after a bug was first disclosed the vulnerability was still present in the latest versions of stuff that millions of developers use which is particularly bad when the vulnerability is confirmed as being actively exploited however luckily this vulnerability which is is a buffer overflow is quite difficult to exploit so script kiddies aren't really going to have much luck with this one and apart from nso's Pegasus spyware there aren't any other publicly known instances of this actually being used in the wild and obviously I'm only able to make this video because the screw up has been well publicized and so it's now been rectified so I guess we can all breathe a collective sigh of relief companies like NSO group find vulnerabilities like this thanks to their teams of highly paid hackers in so's case it's thought they have 750 employees alternatively critical vulnerabilities can simply be bought from Traders which is totally legal by the way I mean if Apple's $1 million bug Bounty for responsibly disclosing a zero click exploit isn't enough for a security researcher they can always turn to the dark side a Russian zero day vulnerability platform recently put out an open offer of $20 million for iOS zero click exploits that is if you're okay with putting something like this in the hands of governments as for something that won't cost you $20 million today's sponsor aami connected Cloud aami connected cloud is your Swiss army knife for cloud computing these guys can handle everything cloud and they're giving you a $100 60-day credit just to get started one of their features that I love is their app Marketplace which makes it super easy to spin up servers with pre-configured software need an instance of Carly Just configure the basics with their installer and you're done so click the link in the the description now to claim your free $100 credit as always thanks for watching and I'll see you in the next video have a good one
Info
Channel: Seytonic
Views: 214,311
Rating: undefined out of 5
Keywords: technology, tech, computer, computer science, computers, technology news, tech news, weak web, cybersecurity, cyber security, infosec, info sec, information security, cybersec, hack, hacked, hacker, hacking, hackers, webp, nso group, pegasus spyware
Id: JehEh7i1PIE
Channel Id: undefined
Length: 5min 37sec (337 seconds)
Published: Mon Oct 09 2023
Related Videos
Takeover Hack Could Affect Millions of Trucks
Seytonic
49K
How the FBI Caught Hacker Pompompurin
Seytonic
561K
How hackers hack with an image Trojan?!
Loi Liang Yang
91K
A Vulnerability to Hack The World - CVE-2023-4863
LiveOverflow
100K
Russia's #1 Malware Was Just Sabotaged (Thanks FBI)
Seytonic
129K
Poop Delivery Website Hacked
Seytonic
203K
MAJOR EXPLOIT: This GIF can Backdoor ANY Android Phone (sort of)
Daniel Boctor
155K
Dark Web Drugs Market Ransoms Their Own Users in INSANE Exit Scam
Seytonic
134K
All Apple Products are Vulnerable to New Password Stealing Hack
Seytonic
143K
how hackers hack any websites in minutes?!
Loi Liang Yang
206K
BreachForums Hack Exposes Cyber Criminal’s DMs
Seytonic
92K
Free VPN Is Really DDoS Botnet in Disguise
Seytonic
229K
If You’re Tired of MacBooks Winning…
Dave2D
471K
Signal Did NOT Get Hacked
Seytonic
122K
Introducing ChatGPT’s Evil Twin
Seytonic
196K
The Truth about Discord's Loading Image Hack / Scam!
No Text To Speech
218K
Police Just Hacked This App
Seytonic
84K
Pwnagotchi — hacking WiFi networks in seconds | Real Experiment
Sumsub
419K
Website Vulnerabilities to Fully Hacked Server
John Hammond
136K
Hacked and Backdoored this website in MINUTES! NEVER try this on unauthorized targets!
thehackerish
234K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.