this post was submitted on 27 Oct 2024
39 points (75.3% liked)

Privacy

31751 readers
613 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Think about it. It was released (read: forcibly shoved down our throats) by Google and came out of nowhere when there were zero problems with the decades old and extremely well researched incumbent image/video formats that the web was already using (i.e. jpg, png, gif, mp4, etc). Google has confirmed ties to the US three-letter agencies through PRISM, as well as AFAIK all but confirmed ties to the Israeli government. BlastPass was reportedly apart of Israel's Pegasus hacking suite for years before the vulnerability went public, and was actively exploited by Israel to track down political dissidents. It's also the worst type of vulnerability there is, a buffer overflow resulting in arbitrary code execution, meaning once you exploit it you can do literally anything to the target device, from an image format, the type of file most people would never suspect to be capable of doing that (and indeed most developers never suspected that either, considering how everyone from Mozilla to Apple seemingly just took Google source code and incorporated it into their own software, no questions asked).

Maybe I'm just overly cynical, but I'm having a really hard time believing that such a critical vulnerability in such a widespread code base would be accidental, especially in the age of automated testing, fuzzing, and when the industry generally has a very good understanding of how to prevent memory vulnerabilities. The vulnerability was there since they very beginning of the standard and we're to believe one of the largest software companies simply failed to spot it for years? I don't think Hanlon's Razor should apply to companies like Google because they have a long and shameless pattern of malice and have long exhausted their benefit of the doubt.

I have a sneaking suspicion that WebP was planned as a Trojan horse from the start to backdoor as much software as possible, and Google sold the exploit to the US and Israel govts. Why else would Google so relentlessly push an image format of all things unless there was some covert benefit to themselves? (An image format that's not even patented/licensed mind you so they're definitely not making money that way.)

What do you think?

top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 35 points 3 days ago* (last edited 3 days ago) (1 children)

What do you think?

I think I prefer JPEG-XL

[–] [email protected] 8 points 3 days ago

it is superior in all the ways. too bad it's barely supported by anything

[–] [email protected] 33 points 3 days ago

Google implemented WebP because they can control it without having to pay anyone else. Apple then bungled the client-side implementation.

[–] [email protected] 30 points 3 days ago (1 children)

I know almost nothing about BlastPass, but, looking at the first page of search hits, it seemed to have been an Apple implementation vulnerability rather than some vulnerability baked into the standard itself. In general, buffer overflows are implementation-specific.

[–] [email protected] 18 points 3 days ago (1 children)

This video from a security researcher says that pretty much every software that uses WebP was affected though, and once the issue was discovered, Google made commits in their own codebase to "fix" it. Which suggests it's an issue with the upstream source code that Google provided to everyone else.

[–] [email protected] 14 points 3 days ago

Oh. That’s what I get for making wild-assed guesses from the first page of search results ¯\_(ツ)_/¯

[–] [email protected] 16 points 3 days ago

It was released (read: forcibly shoved down our throats) by Google and came out of nowhere when there were zero problems with the decades old and extremely well researched incumbent image/video formats that the web was already using (i.e. jpg, png, gif, mp4, etc)

I don't agree with this. There are many things wrong with those file formats. GIF, for example, is over 35 years old and has a 256 color pallete. Now, if it's good enough for your purposes and it "ain't broke" for that, fine, but compare these formats to JPEG-XL and it's clear that they deserve to be surpassed. WebM/WebP, despite my many issues with it (WebP and AVIF are bullshit formats), they did serve a legitimate purpose, and quite frankly you can even say it was good for the environment due to lowering filesizes at an actually meaningful scale.

In fact, if I'm reading Mitre correctly, there are libjpeg vulns still being found since WebP was launched. I'm not saying this to equivocate the two from a security standpoint, hell no, but to critisize the common view I see online claiming the older formats are unbackable.

[–] [email protected] 11 points 2 days ago* (last edited 2 days ago)

WebP is basically the format used to store i-frames in WebM/VPx videos. Google acquired on2 technologies for this tech many years ago, and it was to stop W3C from standardising a patent encumbered codec like H.265. These were all well intentioned.

WebP / WebM has all been superceded by AV1 / AVIF anyway. It never really took off, and it's too late to start now.

[–] [email protected] 7 points 2 days ago

No. There are easier and more reliable ways to backdoor stuff that don't run the risk of somebody's fuzzer stumbling across it. Which, I hasten to add, can be installed in such a way that disabling it bricks the device (which means that nobody will bother).

[–] [email protected] 11 points 3 days ago (1 children)

Quite possibly. And also that format should die. It’s bad and it should feel bad.

[–] [email protected] 3 points 2 days ago (1 children)

What do you suggest ? Jpeg-xl ? Avif ?

[–] [email protected] 3 points 2 days ago

JPEG XL, for sure. Great format.

[–] [email protected] 9 points 3 days ago
[–] [email protected] 6 points 3 days ago

Everything is possible. Malice or just incompetence? No way to know.

[–] [email protected] 3 points 2 days ago* (last edited 2 days ago)

How much are we getting paid to shill proprietary file formats?

[–] [email protected] 3 points 2 days ago

So, Apple was right all along. WebP is a bad format.

[–] [email protected] -1 points 2 days ago* (last edited 2 days ago)

I think it was... Cyberwar/crime is the new kind of war, it can be deadly and put a whole country/system on halt with a lot of consequences (human and resources).

Most people would call out conspiracy theory, but I do firmly believe that those higher ups are doing WAY more bad things behind our backs than we can imagine.

But hey we have no proofs, except those lost trails left by good people who need to hide their own asses because the government are looking for them for crime against the government?

That's exactly why I value privacy and doing everyday my best to leave as less information about me as possible. Sure they have the mean/money to find where I live in seconds but they won't get that information without a fight ! F#CK big corporations !