Blasting Past Webp

This blog-post–style technical writeup by Google Project Zero analyzes BLASTPASS, an NSO Group zero-click iMessage exploit that used a lossless WebP memory corruption (exploited in the wild) combined with a large MakerNote binary-plist heap groom inside a PKPass to achieve code execution and BlastDoor sandbox escape on iOS; the chain included allocator metadata corruption, crafted TIFF/WebP payloads, ASLR disclosure (likely via HomeKit), and a callback-oriented JOP technique to bypass ARM Pointer Authentication and bootstrap an encrypted NSExpression payload for final payload delivery.