webp on the 'log
By google earth | Updated 03/29/26(Sun)21:40:26
webp on the 'log
Your fortune: Good Luck
Your fortune: Average Luck >>12873623
Incorrect, the specification is literally designed to trojan horse other formats (for ads etc) and thus has often been used in malware and doesn't add ANYTHING to prior existing image formats. >>12873615
FML. I thought they actually added webp support. >>12873853
i have a dream
Your fortune: Excellent Luck >>12873626
deep fried garloid >>12873849
It's just a jpeg that's easier to scale to different resolutions >>12873849
webp offers jpg level compression and also supports both transparency and animation, neither of which are supported by jpg >>12873856
>>12873860
Nope it is an extensible format hoping to "support" every image format which leads to constant problems.
WebP (/ˈwɛpi/ WEP-ee)[10] is a raster graphics file format developed by Google and intended as a replacement for the JPEG, PNG, and GIF file formats on the web. It supports image compression (both lossy and lossless),[11] as well as animation and alpha compositing.
>>12873868
Like VP8 on which it is based, lossy WebP supports only 8-bit YUV 4:2:0 format,[112] which may cause color loss on images with thin contrast elements (such as in pixel art and computer graphics) and ghosting in anaglyph. Lossless WebP supports VP8L encoding that works exclusively with 8-bit RGBA (red, green, blue, alpha) color space.[113][114] It has no support for 10-bit color depth, while the successors HEIC and AVIF added 10-bit color depth support.
Due to the complexity of their compression method, WebP files take significantly more time to create than other web image formats. It is therefore usually not advisable to process WebP images on demand, as is the case with Web Map Services.[115]
was not able to conclude that WebP outperformed JPEG by any significant margin.
In September 2023, two critical vulnerabilities[118] relating to WebP images were discovered by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab, potentially affecting Google Chrome, Chromium-based browsers and the libwebp project from Google, among any application implementing libwebp.
Among these vulnerabilities, CVE-2023-4863 was an actively exploited vulnerability with a high risk rating of CVSS 8.8. This could lead to an out of bounds/overflow condition in applications using the affected libwebp library, upon exploitation of a maliciously crafted .webp lossless file. This could result in a denial of service (DoS), or worse, enabling malicious remote code execution (RCE).
tl;dr WebP is both risky and WORSE than existing image formats. >>12873873
This is a nice spa. >>12873873
lol
Your fortune: Outlook good >>12873874
Ermm I asked google gemini and it said google's webp is worth it though. >>12873874
This seems to say that the vulnerabilities are due to the libwebp code library.
Which makes sense considering a format is simply a way of arranging data, vulnerabilities can only arise in the way you manipulate said data. >>12873615
webp is not nice
Your fortune: Very Bad Luck >>12873885
From the very RFC paper itself https://www.ietf.org/rfc/rfc9649.pd
high IQ trips
Your fortune: Godly Luck >>12873889
It's specifically states readers should ignore those chunks.
You can insert malicious data into any file, regardless of format.
Sure it's a possible attack surface if reader code doesn't ignore it or utilizes it application specific uses without some form of validation (which is a bad practice problem), but, again, this is true for most file formats. >>12873905
>You can insert malicious data into any file
Obviously, it would never be read or attempted to be utilized, this is not that.
>which is a bad practice problem
Exactly my point, very easy for me say as a self hosting website owner (like discord) to decide to "legitimately" use this feature and "accidentally" open my users to vulnerability. More likely they used use it as I mentioned ignoring the "should" clause to do whatever they want. As it is set up, this will continue to happen and if the people are malicious and clever people won't even know it is happening. It is a built in trust system that shouldn't exist you see? >>12873913
Essentially if they take out that open to anyone extensibility of the format it becomes incredibly more secure, but lets be real, they like it just as it is to do whatever they want with whoever uses it in any system any way they decide they want to.
But yes, all said WebP bad and sus, could be better but isn't. >>12873913
The exact same can be said of databases, you have to validate all data that comes from an end user otherwise you might introduce hazards.
It isn't a built in trust system, because they specifically tell you not to trust it, UNLESS you're using it for application specific uses at which point the responsibility for safety lies on you. >>12873916
except in this case, the database can be every image a user downloads and is prone to share, so again no not the same. I think you're just arguing moot points just to argue.
WebP bad. >>12873916
>>12873914
>>12873913
>>12873905
>>12873885
>>12873874
>>12873868
>>12873860
>>12873849
>>12873623
Your fortune: Excellent Luck >>12873917
>every image a user downloads and is prone to share,
every time you use your computer for anything , and this includes the internet, databases are being read and written to. If you think transferring images is a more widespread action, you are sorely mistaken. You can inject malware into a txt file if the user runs it as an executable .bat file.
txt bad and sus >>12873921
>>12873922
Doing that with txt is bad and sus, connecting to bad databases is bad and sus but you're not downloading that information and sharing it with webP you don't have to do anything but download an exploited image, the difference is obvious. If you keep thinking WebP is "okay" and "like other things" when it is completely on another level you deserve what you'll likely get.
Everyone else not arguing just to be right from the jaws of being completely wrong:
Just don't use WebP. >>12873928
Yeah an exploited WebP file is more akin to having an exploited exe file.. that someone else can potentially run for you if you use their service. It really is so much worse than others are pretending it is. This is what happened with discord, and is what is 100% happening elsewhere without people getting caught doing it the backbone of many botnets. >>12873928
>connecting to bad databases
lol. Like you know what databases you connect to when going online.
Like you actually poured over the code whatever software you're running is using and verified that it's safe.
You didn't. You rely, like many others, on the code libraries to be safe.
A database writes arbitrary data that must be validated to avoid being compromised.
The very vulnerability you're complaining about does the exact same thing.
As always, it's up to the code handling the image to validate any information that might be arbitrary.
As a final note, your browser can read webp images, many websites already use webp images. Whether you like it or not, you PC is already reading webp files on a daily basis.
You better hope, the people who wrote that code weren't as lazy as you are. >>12873943
No I don't, you have no idea what you're talking about, a database is incredibly easy to see how you're connecting and it doesn't run arbitrary code by itself, you still in school? The cracks in your knowledge have long since shown. >>12873944 (dubs)
I think they're just a google fanboy at this point with no real CS background. >>12873946
Hey it could be more than that, for instance if I were maintaining a botnet I'd want WebP to be the only game in town, one of my exploited WebP images and boom they connect to my database without knowing it and I remotely gain control of their PC one more for the botnet. All they have to do is have the right frog meme. Totally the same thing btw as renaming a text file. >>12873944
I didn't say it was hard, I said you don't do it.
I know reading comprehension is hard for you, but try to keep up.
> it doesn't run arbitrary code by itself
Neither do the unknown chunks in webp, the vulnerability discussed are overflow vulnerabilities, these cause the program counter to point at a different part of the memory, after which the instruction are read from there. The part that executes those instructions is whatever environment the original application was running in.
As for database not executing code, that wasn't the point. The point was how writing/reading arbitrary data provides a similar attack surface for malicious actors.
Whether it's code execution in the case of webp.
Or leaking sensitive data in the case of databases.
In both cases, to avoid hazards, untrusted end user data must be validated. >>12873953
Seems to be hard for you too, because YES they do, and that is how the Discord vulnerability worked with that custom lib and there are plenty more out there like it. You're just wrong about both the risk and scale of said risk. >Brief downtime in 10 minutes for maintenance!
I hope it is for webP support that would be very vv funny, or early April Fools >>12873960
>worked with that custom lib
and therein lies the vulnerability.
I can't stress this enough, the files are processed in an environment, it is that environment that runs code. If there is malicious code in those unknown chunks, it is the environment's role to validate it.
Validation, in no way, would try to run the data in those chunks as code, this is true for any validation in any software. >>12873849
>>12873874
how come filesize to quality ratio is always 1000% better with webps idk about the security vulnerability stuff but they mog gifs >>12874049
Because it's a modern, more efficient image format. This person is acting terrified of imaginary threats that would require an image viewer to decide to execute malicious code someone embedded into the file instead of just displaying an image. This imaginary boogeyman is theoretically possible with any file format though. >>12874049
No it doesn't, pic rel do that with Webp (you can't btw because it is less efficient). You might be confused with Webm?
WebP it is less efficient then every aspect it seeks to emulate, a security risk literally by its nature, the information proving this in history and in its own data sheet. Every format by default is better at its job, faster, and potentially smaller file sizes. Anyone denying this is just wrong.
Don't use WebP. >>12873623
>hiroshimoot is lazy
he's not lazy, he's busy arguing with people on japanese tv full force, he just doesn't give a single shit about this site. >>12874261
He literally just doesn't see the point in supporting a security risk that is worse at what he already supports, this is why 4chan supports WebM and not WebP it is an intelligent choice based on reality. >>12874262
there is nothing intelligent about this 50 year old unchanged site >>12874270
It just supported MP4 recently, which one could argue was less efficient of a choice and done for popularity alone lol. If they ever support WebP I'll agree with you. >>12874275
if you think supporting a format is intelligence you set the bar extremely low >>12874275
>>12874262
>>12874257
Maybe if you repeat it enough times it'll come true. >>12874280
If you don't think intelligently about what formats and how you implement them on your servers you don't even register. You're like someone posturing they are a mechanic and sticking the dipstick in the gas tank to check the oil.
>>12874283
Anyone with a brain willing to use it using resources in this thread alone knows it is true. Please keep using WebP for everything. >>12874283
>hurr I'm giving retarded harmful advice OWNED TROLLT THEY SO MAD >>12874286
Well, I guess I had fun debating you, sort of.
But you clearly lack even a basic understanding of how software works. making my bots fight each other for hours while i jerk off and then using a third bot to evaluate who won >>12874290
Can't say the same.
You're just actually malicious either as a retarded troll or a self absorbed individual projecting on me your own inability to accurately assess the reality of this subject and your ego just can't stand being wrong even at the detriment of others. >>12874302
You haven't made a single argument other than "you can write arbitrary chunks of data by design".
You failed to understand why it's the software developer's responsibility to handle validation of arbitrary data.
You failed to understand the analogies I gave, and how they pose similar challenges yet are still widely used.
And finally, when you got tired of just repeating the same claim over and over, you resorted to personal attacks.
>>12874305
Literally started this by proving that was abused (and the flaw that enabled it still exists) to maliciously effect users.
All you've done is say "prove it" over and over despite me having proven it, you don't deny it has and can be used maliciously you just go or "hurr software devs have to validate this endlessly exploitable existent unchanged problems and they would NEVER abuse it" like a retard when history itself has proven it is still there.
Essentially you've proven yourself to be a bad person giving literally harmful advice defending a bad thing for the sake of it so I'm done taking you seriously in any fashion.
It literally happened, the reason it happened in the file format is still there, this isn't a debate this is you doubling down wrongly and gaslighting at this point, you're literally being malicious and dishonest first, over and over and thus at this point I don't feel bad attacking back.
https://micahkepe.com/blog/webp-vul
LOL TROLLT I WASTED SO MUCH OF YOUR TIME LOLOL >>12874312
I never said prove it. I simply explained why it isn't the big bad exploit you make it out to be.
You can use as many buzzwords as you like, it won't change the facts. >>12874315
epic bait
Your fortune: Good Luck >>12874312
If they removed this >>12873889 it would go away, but the built in vulnerability is a feature for them, not an oversight, not a bug. So it isn't going away. >>12874312
>https://micahkepe.com/blog/webp-vu
>The issue is that there was no length check on the buffer that was allocated for the Huffman table, which could lead to an out-of-bounds write when the invalid table is unpacked by the decoder.
From you own source. As is clearly stated, the issue is with the decoder code not checking the length on a buffer. >>12874325
excuser me, but is possible your using the meme arrowlels to quote sombody? who may that be? >>12874331
off by two >>12874333
CHECKED
Your fortune: Average Luck Gotta be really careful with webP because it was developed by some shitty, mostly unknown software company known as "Google". Can't really trust those guys. >>12874356
this but without the "unknown" part >>12874361
lol this, those ironic moments when one of the people defending something have the most convincing argument obliterating it are always chef's kiss >>12874257
are you trying to claim webps are less efficient than gifs because lole you just forfeit the entire argument retard
Your fortune: Bad Luck >>12874403
I take it both of you don't use Android, and use a non blink browser, right? >>12874415
I'm not autistic enough to degoogle every single thing I use
Still hate it, though >>12873856
Where do I sign up to be that mamasan's personal White gorilla?
Your fortune: Reply hazy, try again >>12874413
Not only did they say that, they proved it. make a smaller than 26 byte webp we'll wait >>12874782
I think they mean animated gifs which isn't an apples to apples comparison, since webp is basically animated pngs/jpgs, and why would you ever use it when webm/mp4 exists if you wanted a newer efficient format in older machines gif is unironically better despite its 256 color limit because said machines don't use more than that anyhow everything webp does there is a format already that does it better >>12874782
Are you complaining about a 26 byte overhead when the gains on average sized media more than makes up for it?
You can't be this ignorant.... >>12874782
proves my thinking that you dont really know what youre talking about and are weirdly lying based on a few things you know wonder what mental lelness you have samefig >>12875091
you seem like a real retarded nigger, just saying. >>12875131
you could attempt a basic level of familiarity with what you talk about instead of lying >>12875131
well they're defending webp so.. yeah Aint no way you nerds are arguing about the type of picture format you're shit ass memes are made of >>12875175
I want to formally apologize my very mild frustration with google images webm-rape manifested in image format autism feel free to filter
Your fortune: Outlook good >>12875180
ok just a warning this time >>12875175
JUST SHUT UP AND USE MY FAVORITE LITERAL MALWARE FORMAT WEBP MY BOTFARM NEEDS MORE SLAVES. >>12875175
Autistic individuals may argue frequently due to a preference for facts, accuracy, and direct communication, rather than a desire for conflict.
Your fortune: Outlook good >>12875184
Finally, an honest reason to want others to use WebP. >>12875175
MAVI (memes are very important) >>12874794
gifs are handled differently than webms and mp4s i want a more efficient gif style format
Anonymous is a reporter from /s4s/