Blasting Past WebP - An analysis of the NSO BLASTPASS iMessage exploit

Original Article ↗ Hacker News Discussion ↗

Codecs, Memory Safety, and Analysis Tools

  • Several comments argue that image/audio/video codecs are especially ill-suited to C/C++ and should now be written in memory-safe languages like Rust, seen as a “perfect use case” due to performance + safety.
  • Others push back on “Rust cargo cult” rhetoric but still agree: new internet-facing parsers should not be written in unsafe languages.
  • Static analyzers and fuzzing are viewed as necessary but insufficient: libwebp was heavily fuzzed (including via OSS-Fuzz) yet this bug still slipped through. Over-reliance on fuzzing is criticized.

File Formats, WebP, and Attack Surface

  • Discussion of file-type spoofing: extensions and magic headers are both weak trust signals; one proposal suggests embedded signatures over the payload, but others note attackers can sign malicious data too.
  • WebP’s design is criticized: separate lossy/lossless code paths double attack surface; its benefits over JPEG are called marginal, and basing it on a video codec that was soon superseded is seen as a long-term maintenance mistake.
  • Broader lesson suggested: formats and parsers are expensive to secure, and that cost should factor into adopting or inventing new formats.

iMessage Threat Model, Filtering, and Lockdown Mode

  • Concern that strangers can trigger complex parsing on devices via iMessage; clarification that processing occurs in a heavily sandboxed user process (BlastDoor), with this exploit chaining multiple bugs including an obfuscated sandbox bypass.
  • Proposals: “message requests,” “contacts-only” messaging, or disabling automatic media rendering. Critics note this doesn’t eliminate risk from compromised contacts, but others frame it as valuable defense in depth.
  • Debate over server-side vs client-side filtering: server-side would require exposing more contact and message metadata, harming privacy.
  • Lockdown Mode is repeatedly mentioned: it blocks most attachments/media previews and various “edge-case” features, but also breaks web fonts, RCS, 2G, some sites/apps, and search in Messages. Some find it usable with per-site/app exceptions; others see it as too blunt and want narrower, attachment-focused toggles.

Exploit Sophistication and Ethics

  • Commenters are struck by the exploit’s complexity: multiple image formats, heap shaping, large metadata-driven object graphs, NSExpression abuse, and PAC bypass, with parts encrypted to hide the sandbox escape.
  • Ethical debate: NSO is described as a mercenary surveillance actor targeting civil society; some invoke export controls and government responsibility.
  • Open source is defended as valuable but not a magic shield against well-resourced adversaries; closed vs open doesn’t fundamentally change the existence of such exploits.