Techly NewsGet the app

Get the latest tech news

Blasting Past WebP - An analysis of the NSO BLASTPASS iMessage exploit


An analysis of the NSO BLASTPASS iMessage exploit Posted by Ian Beer, Google Project Zero On September 7, 2023 Apple issued  an out-...

A couple of weeks later on September 21st 2023, former Project Zero team lead Ben Hawkes (in collaboration with@mistymntncop) published the first detailed writeup of the root cause of the vulnerability on the Isosceles Blog. The closest thing to a specification for the PKPass format appears to be the Wallet Developer Guide, and whilst it doesn't explicitly state that the .png files should actually be Portable Network Graphics images, that's presumably the intention. In combination with the target device and exact OS build (also contained in the crash log) I could then obtain the matching dyld_shared_cache, subtract the runtime ASLR slide from a bunch of the pointer-looking things in the 1MB object and take a look at them.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of analysis

analysis

Photo of Blasting Past WebP -

Blasting Past WebP -

Related news:

News photo

Microsoft introduces deep research and analysis tools for Copilot

News photo

AI’s answers on China differ depending on the language, analysis finds

News photo

Nvidia Touts Blackwell Chip After Mixed Earnings Report

« Report: 19-year-old DOGE team member "Big Balls" provided network support to cybercrime gang
Google prepares you for a hot summer with new AI updates for traveling »