Ian Beer provided an in-depth analysis of the NSO BLASTPASS iMessage exploit, revealing how attackers compromised iPhones without victim interaction using PassKit attachments and malicious images. Apple and Google quickly patched the WebP vulnerability utilized in the exploit, with researchers uncovering the root cause of the flaw. Surprisingly, the exploit involved a complex WebP format corruption, pushing the boundaries of memory constraints. The evolution of the exploit journey involving WebP files, EXIF, and binary plist formats showcased the intricate nature of the attack. Despite facing challenges, Ian Beer’s detailed investigative narrative sheds light on an intricate zero-click exploit affecting iOS.
https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html