ok, but this is cool. it’s an image that renders differently on apple and non-apple devices. not sure if devRant will process it so it doesn’t work, but this is cool. also a huge vulnerability for apple, but cool.

Tell me? Says hello apple for me

Hello Apple

What's it meant to say?

It’s a picture of Chelsea Clinton

Show us how it shows on apple hahah

I want to know too

So it probably was one of that composite file cases, where two different files are merged into one in a way that exploits OS-specific guessing of content type to show one or the other depending on OS.

But devRant ruined it by processing the file and the one who whants us to calm our tities works for some online news site and therefore didn't link the source...

@ScriptCoded @C0D4 @LiterallyJesus @ChristoPy @react-guy @Oktokolo link to original: https://da.vidbuchanan.co.uk/widget...

full disclosure: if you do have an apple device, this could be an exploit so view at your own risk

and link for the repo https://github.com/DavidBuchanan314...

@calmyourtities
Oh nice - the image is encoded in a standards-compliant way. But if you implement parallel decoding in a naive way (like Apple), you get a different image because the chunks aren't really independent (meaning that previous chunks don't actually stop where they should).

Doesn't look like you could use that for code execution. But being able to show different images on different OSes might still be security relevant.

And the actual bug seems to be in the standard. Stuff like where chunks have to start and end, must be clearly stated as requirement. Then you could just reject quirky blobs instead of having to fall back to serial decoding.