Listen, unless we can do an OTA update to patch our parents against racist memes they see on Facebook, memes have always been more dangerous. (And if we can, how? Pls tell me, pls. I beg of you).
when I see a webp I automatically get pissed off Even if it's since 1997 im on the internet, I never had the necessity of working with webp, so can we let that format die?
they're not very smart over at google - i think it's time that faang becomes faan, or fana, or whatever i don't really care. all i know is that google is full of idiots especially at the higher levels
For what it's worth, discord was never vulnerable due to multiple reasons. This was also likely true for multiple of the named programs. People just saw webp and panicked without doing any research other than "is the file type there? then it's vulnerable". Not to mention the ones that where vulnerable mostly all got patched before the chaos started anyway.
Damn it's always the NSO Group. I have to say as cool as this is, I hate the NSO with a burning passion, I was hoping it would be some hobbyist security geek who came up with this :(
To be fair, it probably was, and they sold it to the NSO who then claimed credit for it, plausible deniability for the finder and more money than the bug bounty that it might have been eligible for.
it’s 2023 and we’re still getting new buffer overflow bugs in major software. you would’ve thought that we had done something systematic about it by now, but no. ”i’m clever enough, so it’s fine for me to write this software in a memory unsafe language and not use any static analysis tools to verify this“ still seems to be a prevalent mindset and people still trust people who does that for some reason
There's a programming language that aims to prevent most memory unsafety bugs; it's somewhat new but it constantly grows in popularity. To my knowledge, the Rust library for decoding webp was not affected :)
@@Gramini yep, i assumed as much. i was explicitly thinking about rust when writing this comment. most programming languages are memory safe, but they also use a garbage collector, making them less well suited for high performance libraries like an image format codec, so rust would clearly be the best fit
Honest question: Why do you have them saved as .webp? Has this any advantage? I always hate it, when i want to download an image and its .webp ^^
10 месяцев назад
@@MyDarkKnightRisesWhenISeeU Many websites now, such as Reddit, only give that format. So if you try to download an image, that might be your only option. Sites like Twitter are starting as well. Whenever and however possible, I do try to avoid it but it's starting to become a point where it's the only option. Truthfully, the low file size does greatly help storage space on servers/networks, but the quality takes a hit. If I really care, I'll find a way. If it's just something to save, I could care less.
Stop blaming google for everything... Software is bound to have vulnerabilities. No matter if it's made by Google or by Joe. They didn't "give birth" to it. It was found by someone auditing the code.
In reality, google's products are most secure in the world... actually security is a joke in most MNCs especially when MNCs are deploying collage freshers to critical production environment for saving money, what else to expect....
It's not like that was a feature or anything. It was just a (critical) bug in a library that decoded the format, that could lead to code smuggling/code execution.
everything needs to be fully sandboxed, viewing image on discord should NEVER be able to breach outside of discord. the security of our systems are a joke @@Gramini
It's not like that. It's on the decompression mechanism. It's a total fine image, and the display of it doesn't kill, but some buffer of IoP there has code that scapes the permitetted and then gets executed. I agree with both commenters above me tho, although this would not suffice, as there are jailbreaks for a reason. They would exploit the decoder and then the venv. That's why even VirtualBox and other venvs are not 100% secure. There are malware that search for venvs to break or yeet itself.
@@apache937because corporations keep “kitchen sinking” everything they get their hands on. “Let’s make a new platform, but make it more vulnerable to attack. What could go wrong?”
Also there is the objectively superior format jxl, which is royalty free and backwards compatible but Google being Google decided to drop support for it for chrome because it's their anticompetitive practices. Don't be evil.
my reason for hating webp is because I use blender, and when I need to import reference images, they're just not supported at all. PNG is far better in this case
It took me 10 minutes to be able to even view this video. Thanks RU-vid, for FORCING me to view all of those scam and/or gambling ads. I really wish there was a comparable alternative. Until there is, I guess I'll just have to go on without watching videos on RU-vid. I HOPE that RU-vids anti-adblocking ends up killing the platform. Ads are EVERYWHERE, in stores, on the streets, at bus stops, on TV, in every single app. I'm ALREADY paying for contacts to even be able to see, why the F do I have to pay AGAIN to be able to be able to see stuff without ads?! RU-vid reported 29.2 BILLION dollars of revenue last year. Forcing ads on us an blocking people with adblockers is just forking GREEDY. If RU-vid wants me to buy "Premium", at least make it worth the money! $13.99 a month, just to not be constantly be exposed to scam and gambling(same thing) ads is ridiculous! At LEAST give me something of value for that money.
@@Seytonic hadn’t heard about it until now! Great to know I can view your awesome content somewhere else! I love your videos man! Keep doing what you do, you’re awesome!
Forcing? You can skip the ads after 5 seconds. And if you wait 30 seconds before skipping, the RU-vidr will get their money even without you watching the whole ad.
That's one of the reasons I hate them so vehemently. If you're not converting a lossless or much higher quality image to webp, then you're losing image quality to convert instead of just using what you already have. Far too many people don't seem to understand this and all the webp images I've found had a lower quality image because of it.
@@anon_y_mousse And yet webp is getting more traction simply because being able to decrease the average size of an image by 10-15% over other formats is potentially millions worth of savings. The most expensive thing for a website or a service is literally bandwidth.
Never waste the chance of turning a crisis into an opportunity: time for devs to deprecate the most annoying file format for good in all platforms. It's a security threat. If the malware turns out not to be exclusive to webp, at least we get rid of webp, that is something.
What's wrong with webp? Aside from the vulnerability of course (since it is patched on most platforms now). Seems a little silly to move back to more inefficient formats. It's not like webp is a closed standard.
Yes, please get rid of gif, it's so annoying to deal with. But I wouldn't call it a security thread. If you watched the video you'd know that the problem was not webp, but libwebp, a somewhat common library to decode such images. The format itself is perfectly fine.
Was curious about that as well. Given that the text about it mentions "the vulnerable library" I guess it's just Rust bindings to the C-library libwebp. There's also a pure Rust library for webp.
@@Gramini Apple & Google was mum about it. They cutting edge corps. that like to hide their faults. Not a stretch to think it was the actual Rust lib since their logo was up with the others. They'll sue devs for wrong colors, they'll sue that site for libel & whatever else if it wasn't true. Oxidized brains won't shut up about Rust until they see something like that. And they squirm inside their soul when they see a oxidized program segfault.
I ain't a dev just to be clear. I just know from what I've experienced, it "shouldn't" be on the list like it is. That list seemed specific to me. Also, I acknowledge there are missing details & ambiguity to the problem being in "safe" Rust specifically. I saw it, my brain giggled, then I wrote 🤷🏿♂️
@@akurasubject9617 The problem is exactly that. The exploit allowed the hacker to insert malicious code into the software reading the image, and making it do things it wasn't supposed to do, like installing a malware.
Wait… you had .webp > png but the thing you mentioned was that they support transparency, like png. Why is it better than png? Also, every image format has better compression than jpeg
2:13 " Pegasus can track your location, read your messages and call logs, and activate your microphone and camera..." Isn't this what apple and google does anyway? and ever app installed on these OS's?
Yes. Difference is, Google and Apple hands your data to advertisers. Pegasus hands your data to authoritarian governments. One is far more worrisome than the other if you are a journalist, researcher, activist or express any political dissent.
As a web dev I can with 100% certainty tell you - Yes, it god damn is. Just deep dive into some open-source analytics and tracking software, then realise closed-source big-tech solutions are even worse.
i just use ffmpeg to re-compress .jpg(s) into more efficient space usages, I just use the [-preset veryslow] parameter. So far the quality drop of the recompressed images are quite hard to detect.
@@TheTubejunkyas if its the format thats the problem. Its not, its libwebp thats the problem. And that when Apple/Google fixed it, didnt fix it upstream.
For both WordPress, Nodejs and Ruby on Rails developers, this is kinda concerning. But if we will not allowed webp format on user post system, maybe it will gonna fine for a while.
It seems like every week NSO Group is being said to have gone dark and then comes back with no explanation whatsoever... I don't get it... are they shut down or not? :/
Outside of a web browser I still can't view animated webp files. Conversion sites cause the file to bloat up as well. So it's still a basically useless format.
Critical security vulnerabilities are always intentionally kept under wraps for months or even years due to government agencies using them. The US in particular does this a LOT.
Who do you mean with "they"? The NSO Group? Of course they wouldn't report it, they are/were actively exploiting it… Google? They didn't knew and fixed it once reported…
Here is how great the education system is (Sarcasm intended). I get in trouble at school for trying to save my grandmother from this attack. The school I go to, the majority of people live in very nice and expensive homes (Except for me and a few other students) so they LITERALLY expected me to allow my grandmother get hacked, and then I get in trouble with them if I don't do what they want so I can waste 1500 dollars on another computer that is completely unnecessary. Just awesome.(Sarcasm intended again)
IOS is not secure At one time it was very secure but popularity brings malice as you mentioned. I have seen the most recent ios exploit in action twice in the past six months. Apple claims to have patched this in the most recent update but I still have concerns as this is the same exploit they claimed to have patched previously
@@HyBlock sometimes Google's form of open-source feels like a malicious compliance. Even tho it's open-source, the methodology of fixing and not reporting these issues is the same way if a closed-source OS does the same and then never reports the issue to anyone else.
I'm not sure what's worse, that people still write buffer overflow bugs in 2023, or that they can still result in arbitrary code execution on a modern system.
I think companies like dot webp images precisely because they are hard to work with... It keeps images from being reused without consent. Of course nothing loading up in paint and saving as a jpeg can't fix
@@carlosnava1471 it doesn't have to be a binary thing. I have known many web developers and have built pages in Word press and Drupal, and while I personally haven't been asked, have heard of clients on more than one occasion with concerns over their images being reappropriated. Webp makes that slightly less convenient and has those other benefits to an extent also
I bet NSO was PISSED when he got the exploit patched. I wouldn't be surprised if they put a hit out on him, Mostly because their shitty exploit got patched.
i saw a guy named Text to Speech make a video about this and how it related to discord. haven't watched this vid but wasn't this patched roughly a week ago, or has it appeared as something different?
How about some prominent popular webp viewer is made (from the same hacker group) to run the code - even if the vulnerability have been "patched", and nobody suspect it?
@@LyubomirIko OK, you mean a generic viewer with webp support. Who would need that anyway? Too low quantity of users. Also doesn't that mean that author will reveal himself, when will propose this soft? Why not to include backdoor from the beginning then? You should understand that those kinds of exploits are very tricky to run, code should be optimized for certain group of devices. While this method is OK to jailbreak iPhone, as you can create exploit for several device versions, while having the device at hand, it is not so much reliable when you attack generic computers, which may be really different. And if you program is not cross-platform, then no purpose at all. May be only to became the most popular image viewer, but will you need to exploit someone after that? If you do, your rating will hit the floor.
@@enosunim I especially need such viewer with webp support - I have installed and try dozen of those apps both on my Linux, Windows and Android devices. Some, if not most viewers actually still doesn't support webp. There is also ton of other exotic file types that can too be obviously used as a backdoor. And almost all of those apps will connect the creator for the so called "anonymous crash reports" and for "new update checks". Asking me why, how etc doesn't make sense. This video is a proof it is already implemented and that there is many spy/hacker groups working on this.
@@LyubomirIko this video is just a generic yt vid. Like "hey you should watch this, and all ads too pls". But actual problem is inside a library, not a viewer program. And except iphone jail-breaking there is no other existing known cases. So you may sleep well. Actually I use Linux Mint, and I use some generic viewer, I do not know even how it is called. It opens webp with no problem. So I still do not know, why do you need some other unknown client for images. Also I stated that, why not create any just any program with backdoors inside. It is a good idea anyway(no). Much more reliable, then trying to exploit webp library(yes).
Besides google being evil and there being a non-zero chance this has was malicious from the start, I fucking hate WebP and WebM. What's wrong with PNG? it's soo much better.
Often when I download an image from Facebook Messenger, it downloads as a webp, then when I try to send it to someone, Messenger says it's not a compatible file format and also seems to think it's a gif too.
So I also learned that Akamai is legit. And, like with guns and roses, you can either plant a garden or scar someone. Money is nice and all, but greed for potential malice and $20,000,000 more is all-consuming. In the end, greed kills itself, and the host with it. *Pun completely intended*
