Blasting Past WebP - An analysis of the NSO BLASTPASS iMessage exploit
134 comments
·March 27, 2025nneonneo
ogurechny
A strange choice of words. It's like saying “cannibalism is pretty gross, but the chef outdid himself on those slices”.
Moreover, even if it's complex from the technical point of view, morally it's dead simple: hired programmer is the same as dirty grunt with a gun, and the leader delivering speeches, and the rocket engine scientist, and the data processing clerk, and everyone in between. They all serve the Order they believe in, the king of this world.
heavensteeth
> It's like saying [...]
"Proof by analogy is fraud" - Bjarne Stroustrup
areyourllySorry
people do like true crime shows so that's that
ogurechny
“True crime” is just fashionable slang for “pulp fiction” and “tabloid journalism”, so there's nothing new here.
hulitu
> using multiple image files with unexpected formats,
Unexpected ? You mean your jpeg file is not a jpeg. Why not throw an error message then ? Why does (iMessage) it have to open every byte thrown at it ?
botanical
NSO Group are a terrorist group for hire. This 0-click, 0-day exploit was found targeting civil society. Any one can pay to target journalists, NGOs, politicians. This is why open-source is paramount to security, and having code out in the open.
jsheard
Supposedly NSOs products are classed as restricted weapons exports by the Israeli government, and all sales have to be approved by the Ministry of Defense, so they have their own share of the blame when it falls into the wrong hands.
acdha
Your conclusion is not connected to the first. Open source software has had many issues over the years and reading the technical details in this post should make it clear that there’s no magic solution to an adversary with this level of resources.
myth_drannon
Well, people are going to be targeted anyway. It's better to keep a trail of who is doing what, and that's the purpose of all those offensive cyber startups.
Do they make it easier for actors to perform those activities? Not sure. I was never shopping for 0-day exploits. And some argue it's similar to gun laws in US, if it's easier to buy firearms, someone is more likely to use it. I just don't buy this comparison.
bri3d
How does one of these points relate to the other in any capacity?
nxobject
At this point, I think Apple's platform security teams have to seriously [edit: by default] start mitigating attachment exploits in ways that affect UX – _not_ rendering message previews, or blacklisting formats by defaults. Given Apple's pro-privacy messaging – and acceptance of things like Signal auto delete – think Apple's user base might now be comfortable with taking hits to UX in the name of security.
snailmailman
Lockdown mode does this. Preventing weird attachment types entirely. Preventing most of the “edge case” things. Like you also can’t be added to an icloud album, or install new configuration profiles.
Although it’s a bit extreme. It disables almost all web-fonts which breaks a lot of websites. (It’s easy to toggle this, but you have to do so per-site) It’s really not designed for the average user.
jeroenhd
I think lockdown mode is fine for most people. Yes, some websites are broken because they assume their font always loads, but I've never really felt bothered by issues like that. Then again, I've never really used iCloud, so maybe I'm missing out on something there.
Many edge cases covered, like not being able to add configuration profile, are fixes to insecure defaults IMO.
ipython
I'm sure nobody would think of targeting the national security apparatus of the USG with such an exploit to gain access to... I dunno, their Signal messages?
mrguyorama
One of the members of that group was accessing it from Moscow to meet with Putin.
Our adversaries don't have to hack anything at all, they don't even seem to have to ask nicely. There's zero chance that Putin doesn't let China know anything they want about the Trump admin, and Putin himself seems to get to dictate our country's policy now.
This has been the case among republicans for decades, and Mitch McConnell himself (and 6 others) spent the 4th of July 2018 in Moscow for christ's sake.
nxobject
Essentially relying on COTS software with likely exploit bounties targeting dozens of high-value targets other than the USG – what could go wrong?
michaelt
Do you think special custom software, developed under government contract, would be any more secure?
My experience with software procured by the government is that it's not winning any awards for best software.
EasyMark
I think it's more so that those aren't as readily available as signal to get at the exploits, and it would be on gov provided devices not on everyday phones that people install just whatever on and then decide to set up a chat group and talk about blowing up brown people whimsically.
outer_web
Simply rebuilding software for limited distribution makes it more secure.
danilonc
Would Lockdown Mode mitigate any part of this exploit chain?
If so, which aspects would it block? The Apple support page mentions that most message attachment types are blocked, *except* for certain images, videos, and audio. Given this, would Lockdown Mode have prevented this exploit?
processunknown
Do they even specify which types are blocked?
bawolff
> The closest thing to a specification for the PKPass format appears to be the Wallet Developer Guide, and whilst it doesn't explicitly state that the .png files should actually be Portable Network Graphics images, that's presumably the intention.
Lol, that got a chuckle out of me.
Amazing write up by google project zero as always.
qingcharles
One of the tricks mentioned in here -- changing the extension to bypass a check -- works great on a ton of sites. Many sites won't let you upload a .gif file, but don't actually check the contents of the file, so just rename your .gif to a .jpg and voilà!
(you can sometimes get this to allow you to upload and execute server-side scripting pages too)
cedws
It’s always codecs.
I don’t always buy into the $safelanguage cargo cult but come on, it’s apparent that memory unsafe languages are not appropriate for this purpose and desperately need replacing.
01HNNWZ0MV43FF
Well the principle reason to use Rust is that it has good tagged unions
But I don't even buy into the cargo cult cargo cult https://www.righto.com/2025/01/its-time-to-abandon-cargo-cul...
null
junto
There always been an issue here with files reporting to be one thing but being another.
Trusting the file extension is amateur to say the least.
‘Magic strings’ in the header of the file is the usual way, but even then, you can’t really trust it.
What we really need is some way to guarantee that the contents are in a valid format as defined by the header, and haven’t been tampered with and signed as such, and embeds that in the file itself. Then I can take the contents of the file after the header, hash it and compare it with the embedded sig.
Back porting this to standard formats though would be a nightmare.
klabb3
So an attacker should sign their malicious webp or jpeg files beforehand? That doesn’t help at all.
No, I agree very much with parent here. I think compile time safety and rust fanatism has been oversold, but let’s face it this is the perfect use case, a match made in heaven.
Decoding in C/C++ has a Dunning Kruger deceitful appeal. People think they can do it, but time and time again, we find critical holes, even when written by 10x wizard Nobel laureate engineers.
At the same time, decoding needs to be crazy performant. So, this is the moment to shine for languages like Rust. I am 100% in support of this.
unit149
[dead]
oguz-ismail
skill issue+no serious alternative
What's the point of WebP anyway?
greenavocado
JPEG-XL is the future everything else is forced/shilled to the extreme without considering its merits. Don't even get me started how some website will show a URL to a JPEG and when you try to save it, it tries to save a WebP.
WebP suffers from excessive generation loss for a modern codec.
latexr
I find it curious how the AVIF deterioration resembles an old physical photograph. I wonder why that is. Do you know of more comparisons like this? I’d like to observe the effect further but don’t have the availability right now to pursue it.
jeroenhd
JPEG-XL works in even fewer programs than WebP does, though, which is almost impressive given WebP's reputation.
dev1ycan
Yeah but Google goes out of their way to kill jpeg-xl, they really deserve to lose chrome
actionfromafar
https://github.com/google/wuffs <-- DSL created explicitly for wrangling fileformats safely
yjftsjthsd-h
And - https://github.com/google/wuffs/blob/main/doc/std/image-deco... with a webp implementation.
nxobject
I wouldn't be surprised if some security team at Apple was cooking up a bespoke DSL as well – NIH seems to happen once in a while.
jonatron
Thank you, I spent a few minutes failing to google this.
internetter
Written in C? Unless I'm missing something this isn't better than other unsafe options
voidUpdate
Good compression for web images. I converted the images on my website to webp and saw a huge reduction in filesizes with virtually no loss in quality, but it still keeps an alpha channel unlike jpg
oguz-ismail
>Good compression for web images
Storage is cheap, bandwidth is cheap, so who cares?
>alpha channel
Share an example from your website. I really want to see what it looks like
adzm
Alpha channels in a lossy image? Animated lossy image?
Regardless, things like this really help explain the hesitation behind adopting jpegxl.
I'm a big fan of AVIF files though.
IshKebab
Only if they implement jpegxl decoders in C/C++. I would really hope that isn't the case.
Seems like they agree: https://github.com/mozilla/standards-positions/pull/1064
oguz-ismail
>Alpha channels in a lossy image?
Why?
>Animated lossy image?
It's called a video
dlachausse
No serious alternative? Apple could easily make a safe image handling library in Swift.
ChocolateGod
Swift is underrated, I wish it had more traction outside Apples ecosystem.
Easy to learn, fast and memory safe without a GC.
lukeh
Just FYI to the article, more recent versions of CF are available as part of swift-corelibs-foundation.
favorited
They're newer, but they aren't at all similar to what ships on Apple's OSes anymore. These days, the layers have flipped, and CoreFoundation is becoming a wrapper around swift-foundation.
CF functions toll-free bridge the CF types to their Foundation counterparts and invoke the corresponding Objective-C API, which is either implemented directly in Swift, or is a wrapper around the Swift function.
An Apple employee on the Foundation team posted an example of how calling `CFCalendarCreateWithIdentifier` works here: https://forums.swift.org/t/swift-foundation-now-available/73...
I'm sure it's still a work-in-progress, but their definitive goal is for the OSS swift-foundation codebase to be the same as what ships in their OSes, which was never the case with swift-corelibs-foundation.
Edit: I found a conference talk by some Apple folks that goes into more detail https://www.youtube.com/watch?v=wn6C_XEv1Mo
saagarjha
swift-foundation will never be the code that ships on the OS, mostly because they always have some private bits they won't expose. Come back when URL bookmarks are part of the open source dump.
favorited
Of course the entire binary will never be the same, but the implementation of (for example) DateComponents.swift in OSS swift-foundation will be the same implementation that is used to build the OS library.
Going forward, the bedrock of both the OSS package and the platform [Core]Foundation.framework will be swift-foundation. This is distinct from SCF, which was a novel Swift wrapper around CoreFoundation.
lukeh
Sure, but that’s not relevant in the timeline of the OP.
TheDong
It feels so ridiculous to me that a total stranger can send an iMessage message to me, including some attachment, and my phone will process that message in the kernel.
How hard would it be for apple to have a setting of "Only receive messages from mutual contacts", and require the stranger to first "request to be added to contacts" (a message which is tightly controlled, and obviously doesn't include a pdf file or webp or whatever), and have the apple imessage server drop all other messages from them until I accept.
Signal has "message requests". iMessage doesn't have "message requests", and receives messages in a unique path which goes through the kernel.
Like, sure the attacker could hit my Mom with a wrench and iMessage me a PDF exploit that way, but I feel like requiring physical access to one of my contact's phones raises the bar significantly over the current state of affairs.
nneonneo
It’s not being processed in the kernel - BlastDoor is a heavily-sandboxed user process. This attack chains together a bunch of exploits - including an encrypted BlastDoor sandbox bypass - in order to gain full control over a device.
JoshTriplett
And this is one of many reasons why analyses like this provide so much value. It's fascinating that the actual sandbox bypass in this case is so carefully protected. If that sandbox bypass code could be decrypted and reverse-engineered, it could point to the actual vulnerability being exploited, which could then be fixed.
tialaramex
I can already guess without looking that the sandbox is excellent except that oops there's a few edge cases that were MUST FIX, so, we had to cut a small hole in it. The people who understand how difficult this is to do properly built the actual sandbox which will be fine, the ragged hole cut in it (and exploited) was implemented by somebody for whom the sandbox is just another annoying thing they need to work around to get their job done and they don't care that they made it worthless.
conradev
A total stranger can send radio waves at you and your phone will process them on a processor close to the kernel: https://googleprojectzero.blogspot.com/2017/09/over-air-vol-...
ls612
I’m pretty sure that the modem on modern iPhones can only access a small memory address range and that this is cryptographically enforced by the Secure Enclave. So an exploit in modemland doesn’t allow reading unencrypted info (since everything today is encrypted at the application level).
I’ll see if I can find the citation in the Platform Security document when I get home.
conradev
The Secure Enclave is nowhere between the AP and the Broadcom chip.
The application processor has an IOMMU and the kernel uses it to restrict what the Broadcom chip has access to, and the linked article series discusses exploiting the IOMMU. There is more detail in the Project Zero write-up than Apple's own PDF.
The actual solution here is to remove the insecure Broadcom chip entirely, which is what Apple ultimately did. PCI-e and MMIO are quite risky, but ultimately necessary for performance. I think PinePhone series talks to their Broadcom chip over USB, which is a lot more secure, but the performance is worse.
bri3d
I don't think there's anything cryptographic about the baseband communication on an iPhone, or that they're connected through the Secure Enclave. I think they're just PCIe endpoints with IOMMU (which is fine as long as the IOMMU is configured correctly). My understanding is that for most iPhones, a repair shop can replace the baseband hardware itself without the phone noticing, which also suggests that there's no pairing or hardware trust model / key exchange between the AP and baseband.
Post-boot communication with the host processor on Qualcomm-baseband iPhones (iPhone 12-16 non-E) is the usual Qualcomm QMI/QMUX over PCIe (CommCenter uses libPCITransport to send messages).
The Platform Security document just says "On devices with cellular access, a cellular baseband subsystem performs additional secure booting using signed software and keys verified by the baseband processor" and "Each network processor is on its own isolated PCIe bus. An Input/ Output Memory Management Unit (IOMMU) on each PCIe bus further limits the network processor’s DMA access to only memory and resources containing its network packets and control structures."
Scramblejams
Signal has "message requests". iMessage doesn't have "message requests", and receives messages in a unique path which goes through the kernel.
Signal's message request, notably, also shows me the requester's avatar image. I don't know if that hits the kernel but it certainly hits code that as a category has suffered lots of security issues over the years. Which is to say: There's room for improvement all over!
kevin_thibedeau
That doesn't solve the core problem that untrusted data from an external source can compromise the system. Any person in your contacts can suffer from an exploit that lets an attacker target you. You don't want data from them to be whitelisted.
TheDong
I want to respond to the strongest interpretation of your comment, but no matter how I read it, all I'm getting is "defense in depth is meaningless".
Do you also think apple shouldn't have bothered building blastdoor sandboxing, since all the code running in the sandbox should just be flawless code with no security issues anyway? Is ASLR not worth it since the core problem is that there are memory safety bugs, and so we should instead just write it all in rust and not do ASLR or such?
I'm not saying we shouldn't fix security issues, just suggesting a defense in depth mechanism that in practice seems like it'd make most people a lot safer.
null
kevin_thibedeau
This is all a fuckup by the responsible vendor Apple who isn't comprehensively using commercial static analyzers that can easily detect this sort of buffer overflow. They both have billions in cash to pay for dedicated engineering teams to do this work.
gus_massa
Here in Argentina it's somewhat common to recibe social engineering attacks to steal the WhatsApp account. When they success, they send money request to all the contacts [1]. So once you add your Mom, they only need to convince her to give them access to her account, not the physical device.
[1] I got one 2 weeks ago. More details in https://news.ycombinator.com/item?id=43361556
yjftsjthsd-h
I wonder if "Filter messages from unknown senders" ( https://support.apple.com/guide/iphone/block-filter-and-repo... ) skips any processing.
Also, I really thought there was an option to somehow restrict media in messages, but I can't seem to find docs for that.
aeontech
I believe enabling lockdown mode disables media previews in messages to prevent exactly these kinds of attacks, among other mitigations.
TheDong
I'd feel much safer if the message was filtered at the server, not on my device.
It's not clear how much or little of the message is processed, but it's clear attacker controlled data lands on my device.
> an option to somehow restrict media in messages
"LockdownMode", which removes attachments, but also turns off JIT in your browser, and removes the ability to install configuration profiles, among other things.
For some reason apple has a security setting that restricts iMessage media, but to opt into that, you also have to make your web browser useless and have GPS stripped from your photos, idk, apparently "enable" toggles are expensive and they could only afford a single one for like 10 unrelated security features.
toast0
If the message is filtered at the server, it adds a lot of requirements you might not actually want:
1) the server needs to have your contact list, in a form where it can query if user X is in user Y's contacts, in order to do filtering.
1a) If you really meant mutual contacts, the server needs to process contact lists from both parties together. If you are ok with getting a media message from someone who doesn't have you in their contacts but you have them in yours, this one is skipped.
1b) The server needs to know who the message is from and who it is to at the same time.
2) If you're ok with a text message, but not a media message, the server needs to know the difference between text and media messages.
3) I'm not familiar with the details of iMessage, but often messengers use a pattern where a media message is really a link to a media file on some blob server, optionally with some text. If you want the server to remove the link to the file, but allow the text, the server would need to be able to see and process that.
Again, I'm not familiar with how iMessage operates, and some of these may already be aspects of the service, but they're not strict requirements of a messenger service, and the less the server knows about messages and contacts, etc, the more privacy users have from the service.
instagib
I have been running lockdown mode for a while now and it can be painful for shopping but usable. You can disable it on a per site basis in Safari. Stolen device protection mode on also.
To do it and enable side loading you need to do two resets to enable developer mode. I am able to enable a configuration profile also without a problem. It was installed and enabled pre-lockdown and re-enabled in lockdown mode. I just enabled location services for camera and it correctly gps tagged my photo.
The only pain points I have are if someone texts me something other than a picture which is a lockdown feature. For some reason usps tracking webpage fails on all browsers except on Firefox/Firefox focus browser. A few heavily tracked apps or shopping websites don’t like it but tolerate it. Pain: You cannot search your iMessages. I can turn lockdown off on a per app basis excluding iMessage also but have not needed to.
larfus
If Apple advertised a toggle that protects you completely but let the users decide the mitigations, it would severely damage its standing as a secure phone when it would inevitability get exploited. (Targeted) Apple users are usually not technical.
jakub_g
Semi-relatedly: How does this look like for Whatsapp and Telegram? Can a stranger send me an attachment? Never saw this happen, I always receive short messages from scammers like "Hello" w/o attachments, but I wonder if this is possible.
saagarjha
Sure, they can just send you an image. People who are scamming you aren't trying to burn 0 days.
saagarjha
That's Lockdown mode. Also the message is not processed in the kernel.
dfawcus
I've been using an iphone in lockdown mode for a while now, simply to disable a number of the poor security design choices Apple made.
One thing I just noticed this last week after upgrading to 18.x is that lockdown mode also disables RCS. I found I couldn't enable RCS, so turned lockdown mode off, found RCS now worked, then turned lockdown back on.
I can live without RCS mode.
For me, the one real annoyance of lockdown mode is that it disables 2G connectivity. Oh well, I guess one can carry a second 2G capable feature phone.
saagarjha
Note that 2G is generally considered to be insecure (hence why it's disabled).
raquelledger330
[dead]
This exploit is just wild. There are just so many little tricks connected together - using multiple image files with unexpected formats, aligning heap chunks to sit on easily-predicted and manipulable addresses, deserializing a huge object graph from image metadata, the usual NSExpression insanity, PAC bypass via unsigned pointers to function-pointer-containing structures, etc. etc. I thought the last exploit (where they built an entire virtual CPU out of image decompression commands: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...) was crazy, but that involved a lot fewer "tricks" than this exploit.
Many of these tricks are non-public, meaning that NSO would have had to spend a huge amount of time and effort researching every single one of these. They probably have many more tricks they know about and haven't used. And, Apple could patch every one of them in a future update and roll back all of that work.
There's a good reason why these exploits are expensive and only sent to a limited number of high-value targets. NSO this time around also worked to "protect their IP" using encryption to hide part of their exploit chain, presumably in a bid to avoid losing yet more of their precious zero-days to researchers.
What they're doing is pretty gross (particularly the whole spying-on-journalists bit), but you have to admit the level of technological sophistication and persistence here is pretty impressive.