"I found a 3rd party library that uses eval, so we just send it code we want to run and...boom. We're in."
"I found a popular chat app that after install leaves a tool with full sudo privileages behind for us to take advantage of located clickityclickity... here. We're in."
Sometimes, it can be even more pedestrian sounding. Hackers don't always have to be clever if other people are absolutely dumbasses before their arrival.
To be clear, what this exploits is nothing like what you've mentioned.
The article does a very good job of describing the relevant parts of the image format. They built a VM inside of an images single pass decompression route. I'd highly recommend reading the article.
This is just one of the exploits in a very large chain.
To quote some of the nations top security researchers:
> Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
Yeah. Even I know about eval. I'm just happy Google and Apple actually care about security unlike the 2000s companies and can rival the smartest hackers to keep my phone safe!
I'm thinking you're missing the larger idea. The whole point is that while these "geniuses" did something really "impressive" and difficult, there are just as really not-impressive and not-difficult things found in the wild that have caused problems as well.
It's called counterpoint. It was actually found interesting by several people, but you can have your opinion that you don't find it intersting. It actually did add to the conversation as there were multiply replies to it. Your comment about it is the thing that doesnt really add to anything.
Joking aside, this does illustrate the "magical" properties of technology to the layperson. As a corollary, failure modes end up quite suprising and hard to reason about without a certain amount of proficiency in these technologies.
I've seen some examples of this. It's very clearly trained on a white-male dataset.
I've also seen it "enhance" an image of a resistor into a human face.
I don't care how much AI you have, you can't add back data that wasn't in the original image. The best you can hope to do is get a vague approximation, and you must have a very, very good (comprehensive) training dataset for that to be remotely viable.
The premise of the technology is not adding more information to the image. But rather realizing that the image may have a description that is a lot smaller than its file size suggests; then it becomes a matter of rendering it using world-aware encodings. The resolution may appear higher but it is actually a filtration of the original data. And there’s nothing to say that simply because the current technology is overfitted to their present-day datasets, that such a filter (that is actually useful for common images, or enhancement by leveraging known/ few-shot other examples consisting of the same target object) cannot exist.
There is a world of difference upscaling something digital, and something analog. 16mm film actually does contain more information than could be shown with the original film. We have better scanning techniques today that can extract that information.
Upscaling something digital, does require creating information out of thin air, on the other hand.
Well, that and the explanation is missing the details. Conceptually being able to construct something like that from XOR and NOT primitives is stuff from undergrad computer engineering curriculum. But it's certainly a respectable feat to find this combination of compression format and the vulnerability therein of all the supported formats, and think to apply it like this.
"Now I just have to embed a 64-bit computer architecture into my compression algorithm and... boom. We're in."