My thoughts on the WebP exploit

How a bug from Google in 2010 likely was the root cause of an iOS Zero Day exploit, compromising the iPhone 14 in 2023.

4 min readSep 27, 2023

Wow, I’m drinking coffee & catching up on the WebP exploits news. Wow. Mind blown. The deeper I get the more my jaw drops, this is huge, on so many levels.

What is Webp and why should you be concerned

Webp is an image format developed by Google and open sourced (ie shared with other companies), similar to jpeg or png, that provided an novel way of compressing images, resulting in smaller file sizes with fewer visual artifacts. Think back to small jpeg files and the ‘blocky’ compression artifacts you’d see sometimes, Webp format was made to solve this.

For more on how WebP is used in mobile apps see this post on how I was able to “reduce our apk size from over 150mb to 34mb.”

Because of the utility of this format and Google’s backing, it took off in popularity. Android & Chrome have bundled webp for the past 12 years, Mac / iOS/ Safari for about the last 2 years, and many many other browsers as well. You can see an entire list of supported browsers here.

What happened?

It appears that a bug in the WebP library allows for a heap buffer overflow when decoding images.

Ok, but in practical terms what does this mean?

This seems to have been how hackers where compromising iPhones by just sending them a text message. Yes, you read that right, a hacker was able to gain access to a victims iphone by sending them a specially crafted image, that when received was processed by the webp decoder bundled in iPhone giving the hacker ability to run commands on the iPhone without the users interaction or knowledge.

In the security community this is referred to as a Zero Day (or 0-day) exploit, “a software vulnerability discovered by attackers before the vendor has become aware of it.” The existence of this bug was made known when Citizen Labs reviewed a compromised iPhone and shared that information with Apple. The Isosceles Blog post has a great timeline on how they surmise this issue was found and fixed.

How long has this bug been around for?

Somewhere between 4 -10 years. You see why this is a problem, there are literally billions of devices out there that are exploitable today.

Is Android affected?

I’m not exactly sure, digging into this and if anyone has any insight please comment. My first hunch was yes, Android added WebP support with Android 4.0, released in 2011. But, then I remembered that in 2017 Android released a major update hardening the media stack to prevent these sorts of issues.

https://android-developers.googleblog.com/2016/05/hardening-media-stack.html

Android had been facing a number of bugs like this in the early 2010s, so the Android team took an approach of reducing the surface area of blast radius, meaning if a hacker where to compromise a phone with a media related attack then only get minimal access making these attacks not worth the effort to attempt this exploit.

Did Android’s protections work here?

I don’t have evidence yet, this is an unfolding situation. Google has published an update to WebP and will likely include this in the next monthly patch of Android. We’ll have to see in the release notes if the Android media hardening mitigated the impact, or if this is an impactful on Android as it is on iOS.

What should you do?

Update all your software. Now. And double check that auto updates are turned on. Apple has published critical updates for Mac & iOS, Chrome released a critical update, and I expect more vendors to follow.

If you are an app developer, what should you do?

Good question, if your app allows for user generated images consider including your own version of the WebP library and using it to decode the user provided content. This will allow you to proactively protect your users without waiting for Android devices to update (and will protect your users on devices that aren’t getting Android updates anymore).

To include a fixed version you can either compile from source (recommend to stay up to date with most recent fixes) or find your target libraries here https://developers.google.com/speed/webp/docs/precompiled.

If your app does not allow for user generated content you shouldn’t have anything to worry about, as long as your app assets are ‘safe’ webp files (which they would be), there is no harm present to your users.

Takeaways

Wow. Just mind blown at the impact and scope of this issue from a seemingly harmless tool.

1. Everything is connected today. Apple & Google working together with Citizen Labs to catch, fix, and rollout updates to billions of devices is nothing short of heroics.

2. User input is terrifying.

3. Security is hard. Do your best, and assume that something will go wrong. Harden attack surfaces, reduce potential blast radius, and ensure you have working relationships with partners in the industry.