Skip to main content
  1. Home
  2. Computing
  3. News

This massive exploit lets hackers breach apps like Chrome, 1Password, and Telegram

Add as a preferred source on Google

A massive security bug has just been discovered that affects WebP images used in untold numbers of websites and apps, and it could potentially let hackers break into your computer and extract data from it. In fact, Google has already seen it being actively exploited in the wild. Because of that, it’s essential that you patch your computer as soon as possible.

The discovery has been detailed by researcher Alex Ivanovs, who wrote about the bug in a blog post. Right now, it seems to affect almost all of the best web browsers, including Chrome, Firefox, Edge, and Brave. WebP images are used all over the web, meaning huge numbers of sites and apps could be affected.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

The exploit relates to what’s called a heap overflow bug in a codec that interprets and displays WebP images. This overflow bug occurs when more data is sent to an app’s “heap” memory than it is designed to hold. This can allow nefarious code to replace good code, with the result that apps can behave in unexpected — and potentially malicious — ways.

Recommended Videos

In the case of WebP files, an attacker could create a WebP image that hides malware code. When you view this image, the code could be executed, allowing the attacker to gain access to your computer or steal data stored on it, which might include incredibly sensitive information like your passwords or credit card details.

Huge numbers of websites use WebP files due to their excellent balance of quality and file size, so the number of users who could be affected by this exploit is enormous. But that’s not the only thing that makes this bug so serious.

Not just websites

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

Because the bug affects a WebP codec, it’s also found in many apps that need a way to display WebP images. Apps affected include Telegram, 1Password, Signal, LibreOffice, the Affinity suite of design apps, and many more.

The developers of several of these apps have begun rolling out fixes, with 1Password, Chrome, Firefox, Edge, and Brave having issued updates. Apple has also published an update to macOS Ventura that supposedly fixes the bug.

Ivanovs says that the vulnerability was first reported by Apple’s Security Engineering and Architecture team, together with The Citizen Lab at The University of Toronto’s Munk School. The bug was submitted on September 6, 2023, and has the identifier CVE-2023-4863.

Due to the potential severity of this bug, you should check your apps for updates as soon as possible, and make sure to update them as quickly as you can. That’s the best way to keep your computer safe from this exploit.

Alex Blake
Alex Blake has been working with Digital Trends since 2019, where he spends most of his time writing about Mac computers…
Google’s new Magic Pointer Play Store listing reveals a Gemini shortcut built for Googlebooks
The unannounced app turns the cursor into a contextual AI tool for search, image creation, and shopping
Plant, Text, Business Card

Google has quietly published a new Play Store listing for Magic Pointer, an unannounced app built for Googlebooks. Updated on July 10, the app turns the cursor into a Gemini shortcut that can act on whatever a user selects on screen.

Magic Pointer can send an image to Lens, generate a related image, or surface a shopping action without forcing users to open a separate chatbot. Regular Android devices currently show as incompatible, so the listing offers an early preview rather than a broad release.

Read more
You can stop using AI, but this new report says you probably can’t escape it
A UK survey found that most people feel AI exposure is unavoidable, raising harder questions about consent, privacy, and whether opting out is still realistic
AI Chatbots

More people are trying to use less AI, but avoiding it altogether may already be impossible.

A survey of 2,055 UK adults found that 42% deliberately limit how much AI they use. Another 70% said avoiding AI exposure would be difficult or impossible, even when they actively wanted less of it.

Read more
The face on an AI interviewer may matter as much as the decision it makes
Researchers found that race and gender matching changed how fairly rejected applicants viewed an automated interview, even though everyone received the same outcome
File, Computer Hardware, Electronics

An AI hiring system can treat every applicant the same and still leave some people feeling targeted. Researchers found that rejected candidates judged an automated interview differently depending on the race and gender of the avatar delivering the result.

Around 220 participants completed a simulated interview for a fictional customer support role with one of four photorealistic AI avatars. Everyone was rejected, yet perceptions of fairness shifted with the interviewer’s appearance. An algorithm audit could miss that reaction because candidates don’t experience the system as raw code. They experience a face asking questions and judging their answers.

Read more