Skip to main content

This massive exploit lets hackers breach apps like Chrome, 1Password, and Telegram

A massive security bug has just been discovered that affects WebP images used in untold numbers of websites and apps, and it could potentially let hackers break into your computer and extract data from it. In fact, Google has already seen it being actively exploited in the wild. Because of that, it’s essential that you patch your computer as soon as possible.

The discovery has been detailed by researcher Alex Ivanovs, who wrote about the bug in a blog post. Right now, it seems to affect almost all of the best web browsers, including Chrome, Firefox, Edge, and Brave. WebP images are used all over the web, meaning huge numbers of sites and apps could be affected.

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

The exploit relates to what’s called a heap overflow bug in a codec that interprets and displays WebP images. This overflow bug occurs when more data is sent to an app’s “heap” memory than it is designed to hold. This can allow nefarious code to replace good code, with the result that apps can behave in unexpected — and potentially malicious — ways.

In the case of WebP files, an attacker could create a WebP image that hides malware code. When you view this image, the code could be executed, allowing the attacker to gain access to your computer or steal data stored on it, which might include incredibly sensitive information like your passwords or credit card details.

Huge numbers of websites use WebP files due to their excellent balance of quality and file size, so the number of users who could be affected by this exploit is enormous. But that’s not the only thing that makes this bug so serious.

Not just websites

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

Because the bug affects a WebP codec, it’s also found in many apps that need a way to display WebP images. Apps affected include Telegram, 1Password, Signal, LibreOffice, the Affinity suite of design apps, and many more.

The developers of several of these apps have begun rolling out fixes, with 1Password, Chrome, Firefox, Edge, and Brave having issued updates. Apple has also published an update to macOS Ventura that supposedly fixes the bug.

Ivanovs says that the vulnerability was first reported by Apple’s Security Engineering and Architecture team, together with The Citizen Lab at The University of Toronto’s Munk School. The bug was submitted on September 6, 2023, and has the identifier CVE-2023-4863.

Due to the potential severity of this bug, you should check your apps for updates as soon as possible, and make sure to update them as quickly as you can. That’s the best way to keep your computer safe from this exploit.

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
This huge password manager exploit may never get fixed
A large monitor displaying a security hacking breach warning.

It’s been a bad few months for password managers -- albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

Read more
Hackers dug deep in the massive LastPass security breach
The LastPass logo appears in front of a menacing hooded figure.

The cybersecurity breach that LastPass owner GoTo reported in November 2022 keeps getting worse as new details are revealed, calling into question the company's transparency on this serious issue.

It has been two months since GoTo shared the alarming news that hackers stole the usernames, passwords, email addresses, phone numbers, IP addresses, and even billing information of LastPass users. In GoTo's latest blog update, the company reported that several of its other products were compromised as well.

Read more
This Chrome extension lets hackers remotely seize your PC
A depiction of a hacker breaking into a system via the use of code.

Malicious extensions on Google Chrome are being used by hackers remotely in an effort to steal sensitive information.

As reported by Bleeping Computer, a new Chrome browser botnet titled 'Cloud9' is also capable of logging keystrokes, as well as distributing ads and malicious code.

Read more