Project Zero: Blasting Past Webp

A zero-click iOS exploit, dubbed “BLASTPASS,” was discovered in the wild, targeting iPhones running iOS 16.6. The exploit leverages a vulnerability in the WebP image format, specifically in the lossless format, to corrupt memory and execute arbitrary code. The exploit is delivered through PassKit attachments containing malicious WebP images, bypassing the “BlastDoor” iMessage sandbox.