Skip to main content

This massive exploit lets hackers breach apps like Chrome, 1Password, and Telegram

A massive security bug has just been discovered that affects WebP images used in untold numbers of websites and apps, and it could potentially let hackers break into your computer and extract data from it. In fact, Google has already seen it being actively exploited in the wild. Because of that, it’s essential that you patch your computer as soon as possible.

The discovery has been detailed by researcher Alex Ivanovs, who wrote about the bug in a blog post. Right now, it seems to affect almost all of the best web browsers, including Chrome, Firefox, Edge, and Brave. WebP images are used all over the web, meaning huge numbers of sites and apps could be affected.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

The exploit relates to what’s called a heap overflow bug in a codec that interprets and displays WebP images. This overflow bug occurs when more data is sent to an app’s “heap” memory than it is designed to hold. This can allow nefarious code to replace good code, with the result that apps can behave in unexpected — and potentially malicious — ways.

In the case of WebP files, an attacker could create a WebP image that hides malware code. When you view this image, the code could be executed, allowing the attacker to gain access to your computer or steal data stored on it, which might include incredibly sensitive information like your passwords or credit card details.

Huge numbers of websites use WebP files due to their excellent balance of quality and file size, so the number of users who could be affected by this exploit is enormous. But that’s not the only thing that makes this bug so serious.

Not just websites

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

Because the bug affects a WebP codec, it’s also found in many apps that need a way to display WebP images. Apps affected include Telegram, 1Password, Signal, LibreOffice, the Affinity suite of design apps, and many more.

The developers of several of these apps have begun rolling out fixes, with 1Password, Chrome, Firefox, Edge, and Brave having issued updates. Apple has also published an update to macOS Ventura that supposedly fixes the bug.

Ivanovs says that the vulnerability was first reported by Apple’s Security Engineering and Architecture team, together with The Citizen Lab at The University of Toronto’s Munk School. The bug was submitted on September 6, 2023, and has the identifier CVE-2023-4863.

Due to the potential severity of this bug, you should check your apps for updates as soon as possible, and make sure to update them as quickly as you can. That’s the best way to keep your computer safe from this exploit.

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
No, 1Password wasn’t hacked – here’s what really happened
A person using the 1Password password manager on a laptop while sat on a couch.

Password managers have been struggling with security breaches in recent months, with LastPass suffering a particularly bad hack as a notable example. So when 1Password users got an alert last week saying their Secret Keys and passwords had been changed without their knowledge, they were understandably panicked. Luckily, all was not what it seemed.

That’s because AgileBits, the company behind 1Password, has just explained exactly what went wrong during that event. And while it wasn’t as bad as everyone first thought, it still doesn’t paint AgileBits in a particularly good light.

Read more
This Bing flaw let hackers change search results and steal your files
The new Bing preview screen appears on a Surface Laptop Studio.

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk -- and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

Read more
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more