{
	"id": "71fcac89-5de3-42c6-aeea-d63685013bec",
	"created_at": "2026-04-06T01:31:19.301698Z",
	"updated_at": "2026-04-10T03:20:18.987764Z",
	"deleted_at": null,
	"sha1_hash": "4d99ef4a449d9495b169bfa363f0e8935e589a74",
	"title": "Pegasus spyware and how it exploited a WebP vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 346985,
	"plain_text": "Pegasus spyware and how it exploited a WebP vulnerability\r\nBy Pieter Arntz\r\nPublished: 2023-09-27 · Archived: 2026-04-06 00:35:05 UTC\r\nSeptember 27, 2023\r\nRecent events have demonstrated very clearly just how persistent and wide-spread the Pegasus spyware is. For\r\nthose that have missed the subtle clues, we have tried to construct a clear picture. We attempted to follow the\r\ntimeline of events, but have made some adjustments to keep the flow of the story alive.\r\nOn September 12, 2023 we published two blogs urging our readers to urgently patch two Apple issues which were\r\nadded to the catalog of known exploited vulnerabilities by the Cybersecurity \u0026 Infrastructure Security Agency\r\n(CISA), and to apply an update for Chrome that included one critical security fix for an actively exploited\r\nvulnerability.\r\nThe vulnerabilities were discovered as zero-days by CitizenLab, while checking the device of an individual\r\nemployed by a Washington DC-based civil society organization with international offices. The exploit chain based\r\non these vulnerabilities was capable of compromising devices without any interaction from the victim and were\r\nreportedly used by the NSO Group to deliver its infamous Pegasus spyware.\r\nBoth of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a heap buffer overflow in\r\nLibwebp, the code library used to encode and decode images in the WebP format. This library can be used in other\r\nprograms, such as web browsers, to add WebP support.\r\nSecurity expert Ben Hawkes figured out that the vulnerability was to be found in the “lossless compression”\r\nsupport for WebP, sometimes known as VP8L. A lossless image format can store and restore pixels with 100%\r\nhttps://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability\r\nPage 1 of 4\n\naccuracy, and WebP does this using an algorithm called Huffman coding.\r\nArticle continues below this ad.\r\nAs we saw in the vulnerability descriptions, both vulnerabilities were buffer overflow issues. A buffer overflow is\r\na type of software vulnerability that exists when an area of memory within a software application reaches its\r\naddress boundary and writes into an adjacent memory region.\r\nThe vulnerable versions of libwebp use memory allocations based on pre-calculated buffer sizes from a fixed\r\ntable, and then construct the necessary Huffman tables directly into that allocation. By creating specially crafted\r\nimage files that tricked libwebp into creating tables that were too small to contain all the values, the data would\r\noverflow into other memory locations.\r\nEven a weathered security expert like Ben Hawkes, who figured out where the problem was, had a hard time\r\nfinding a way to exploit this issue. Let alone how hard it must have been when there was no clue that a\r\nvulnerability even existed. It helps that libwebp is an open source library, so anyone interested can review the\r\ncode. Ben explained that even extensive fuzzing had never revealed the problem.\r\nSomeone, or a group of people, must have taken it upon themselves to really dive into the code. Ben wrote:\r\n“In practice, I suspect this bug was discovered through manual code review. In reviewing the code, you \r\nwould see the huffman_tables allocation being made during header parsing of a VP8L file, so naturally\r\nyou would look to see how it’s used. You would then try to rationalize the lack of bounds checks on the\r\nhuffman_tables allocation, and if you’re persistent enough, you would progressively go deeper and\r\ndeeper into the problem before realizing that the code was subtly broken. I suspect that most code\r\nauditors aren’t that persistent though — this Huffman code stuff is mind bending — so I’m impressed.”\r\nThen again, seeing the amount of money that one could cash in for a fully functional exploit chain, there should be\r\nmore than enough people willing to put in the work and shove their conscience aside.\r\nhttps://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability\r\nPage 2 of 4\n\n20 million dollar for top-tier full-chain mobile exploits\r\nAnd although Google and Apple have issued updates to patch this vulnerability, libwebp is used in many other\r\napplications. And it may take a while before the Android update trickles down to every make and model. Regular\r\nreaders may know that when there is an update for the Android operating system—software that sits at the core of\r\nabout 70% of all mobile devices—it can take a very long time to reach end users due to a patch gap. This is\r\nbecause many mobile phone vendors sell their devices with their own tweaked versions of Android and the\r\npatches need to be tested before they can be rolled out on those versions.\r\nThe NSO group that markets the Pegasus spyware have shown they are interested in acquiring such exploits. As\r\nwe wrote years ago, the Pegasus spyware has been around for years and we should not ignore its existence.\r\nOur own David Ruiz wrote:\r\n“Pegasus is reportedly instrumental to several governments’ oppressive surveillance campaigns against\r\ntheir own citizens and residents, and, while NSO Group has repeatedly denied allegations that it\r\ncomplicity sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click\r\nspyware program—which non-consensually and invisibly steals emails, text messages, photos, videos,\r\nlocations, passwords, and social media activity—is at the same time a tool that can, in its very use,\r\nrespect the rights of those around the world to speak freely, associate safely, and live privately.”\r\nPegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer\r\njust one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government\r\nclients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s\r\ninvestigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus.\r\nIn 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.\r\nhttps://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability\r\nPage 3 of 4\n\nAfter learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance\r\nwhistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere.\r\n“When I look at this, what the Pegasus Project has revealed is a sector where the only product are\r\ninfection vectors, right? They don’t—they’re not security products. They’re not providing any kind of\r\nprotection, any kind of prophylactic.”\r\nSnowden said.\r\n“They don’t make vaccines. The only thing they sell is the virus.”\r\nSource: https://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability\r\nhttps://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability"
	],
	"report_names": [
		"pegasus-spyware-and-how-it-exploited-a-webp-vulnerability"
	],
	"threat_actors": [],
	"ts_created_at": 1775439079,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d99ef4a449d9495b169bfa363f0e8935e589a74.pdf",
		"text": "https://archive.orkl.eu/4d99ef4a449d9495b169bfa363f0e8935e589a74.txt",
		"img": "https://archive.orkl.eu/4d99ef4a449d9495b169bfa363f0e8935e589a74.jpg"
	}
}