This massive exploit lets hackers breach apps like Chrome, 1Password, and Telegram
Researchers have found a critical security bug that affects a huge range of websites and apps. If left unpatched, it could give hackers free access to your PC.
AbJimroe
By
Alex Blake
September 14, 2023 7:21AM 
A massive security bug has just been discovered that affects WebP images used in untold numbers of websites and apps, and it could potentially let hackers break into your computer and extract data from it. In fact, Google has already seen it being actively exploited in the wild. Because of that, it’s essential that you patch your computer as soon as possible.
The discovery has been detailed by researcher Alex Ivanovs, who wrote about the bug in a blog post. Right now, it seems to affect almost all of the best web browsers, including Chrome, Firefox, Edge, and Brave. WebP images are used all over the web, meaning huge numbers of sites and apps could be affected.
Andrew Brookes / Getty ImagesThe exploit relates to what’s called a heap overflow bug in a codec that interprets and displays WebP images. This overflow bug occurs when more data is sent to an app’s “heap” memory than it is designed to hold. This can allow nefarious code to replace good code, with the result that apps can behave in unexpected — and potentially malicious — ways.
In the case of WebP files, an attacker could create a WebP image that hides malware code. When you view this image, the code could be executed, allowing the attacker to gain access to your computer or steal data stored on it, which might include incredibly sensitive information like your passwords or credit card details.
Huge numbers of websites use WebP files due to their excellent balance of quality and file size, so the number of users who could be affected by this exploit is enormous. But that’s not the only thing that makes this bug so serious.
Not just websites
Stock Depot / Getty ImagesBecause the bug affects a WebP codec, it’s also found in many apps that need a way to display WebP images. Apps affected include Telegram, 1Password, Signal, LibreOffice, the Affinity suite of design apps, and many more.
The developers of several of these apps have begun rolling out fixes, with 1Password, Chrome, Firefox, Edge, and Brave having issued updates. Apple has also published an update to macOS Ventura that supposedly fixes the bug.
Ivanovs says that the vulnerability was first reported by Apple’s Security Engineering and Architecture team, together with The Citizen Lab at The University of Toronto’s Munk School. The bug was submitted on September 6, 2023, and has the identifier CVE-2023-4863.
Due to the potential severity of this bug, you should check your apps for updates as soon as possible, and make sure to update them as quickly as you can. That’s the best way to keep your computer safe from this exploit.
Editors' Recommendations
Lapsus$ hackers convicted of breaching GTA 6, Nvidia, and more Hackers may have stolen the master key to another password manager No, 1Password wasn’t hacked – here’s what really happened This major Apple bug could let hackers steal your photos and wipe your device This huge password manager exploit may never get fixed
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
Hackers dug deep in the massive LastPass security breach
The cybersecurity breach that LastPass owner GoTo reported in November 2022 keeps getting worse as new details are revealed, calling into question the company's transparency on this serious issue.
It has been two months since GoTo shared the alarming news that hackers stole the usernames, passwords, email addresses, phone numbers, IP addresses, and even billing information of LastPass users. In GoTo's latest blog update, the company reported that several of its other products were compromised as well.
This Chrome extension lets hackers remotely seize your PC
Malicious extensions on Google Chrome are being used by hackers remotely in an effort to steal sensitive information.
As reported by Bleeping Computer, a new Chrome browser botnet titled 'Cloud9' is also capable of logging keystrokes, as well as distributing ads and malicious code.
Hackers are using fake WordPress DDoS pages to launch malware
Hackers are pushing the distribution of dangerous malware via WordPress websites through bogus Cloudflare distributed denial of service (DDoS) protection pages, a new report has found.
As reported by PCMag and Bleeping Computer, websites based on the WordPress format are being hacked by threat actors, with NetSupport RAT and a password-stealing trojan (RaccoonStealer) being installed if victims fall for the trick.
