WebP
The latest Google perversion to the Internet is the image type WebP, designed to "replace" JPEG. This format has among other shortcomings no support for EXIF, CMYK, or ICC color profiles which is why photographers have no use for it. Google also didn't bother to add the most requested JPEG feature, support for an alpha channel.
WebP is a "force forward" image format that offers no significant benefit over one of the more common formats and WebP introduces new vulnerabilities into software due to poorly written rendering routines. The motivation is Google market dominance and the cost is inconvenience, broken image manipulation, and security.
Support For WebP:
- Websites: Modern content management systems and web frameworks often provide plugins or tools for serving WebP images.
- Android Devices: Android 4.2.1 (API level 17) and higher support WebP natively.
- Apple Devices: WebP isnt natively supported, but third-party libraries, such as SDWebImage, provide WebP integration.
- MacOS/Windows: Some modern image editors and viewers support WebP natively. For others, plugins or extensions might be required.
Google Domination
Google announced webP in 2010 and photoshop didn't officially support webP until February 2022. Google has been trying to force their new webP into wider adoption starting the push in 2013. Firefox and Safari added webP support in 2019 and 2020. Furthermore, with market dominating back room deals between Google and major CDNs you are now seeing WebP appearing on a wide range of web sites. Amazon Web Services and Akamai now convert images to webPs before serving them to people visiting many web sites. Cloudflare's Image Optimization service is another raw deal for people that want to download images online.
WebP still is not supported my most image editing software. WebP is rejected by many of the same web sites that serve the image format for viewing and download.
Heap Fuffer Overflow in WebP Security Vulnerability
In September 2022 Google reported that a newly discovered security issue relating to WebP images in their web browser Google Chrome. They described a "heap buffer overflow in WebP within Google Chrome" and tracked under CVE-2023-4863. Then the vulnerability was expanded when Google was forced to admit that the vulnerability existed not within Chrome, but within the libwebp library itself. The vulnerability was not just confined to Chrome but had far-reaching consequences due to the widespread use of the WebP format within various applications. Impacted software includes other web browsers as well as email clients, mobile apps, and operating systems.
Huffman coding being mishandled in a specific way to purposely result in a classic buffer overflow is at the heart of this vulnerability. This allows an attacker to create a specially crafted WebP image containing a malicious payload, which when processed by the libwebp library, could lead to the malicious payload being executed on the end users device. It would work by allowing data to be written beyond the allocated memory space.
Vulnerable systems include web browsers, image processors, and applications using libraries that handle WebP, affecting all types of device from mobile, to desktop, to smart devices. This type of oversight that has always been common in Microsoft products is also becoming an issue with Google. These massive companies that leverage their dominance to force their poorly designed technologies onto all of us have always been a problem, and today Google is the front runner in forced garbage technology.
Avoiding WebP
Sadly, it is next to impossible to reliably avoid WebP images 100% of the time. This is by design. Google wants to force this format into acceptance and the company has made deals with many software and content providers to ensure this happens. There are some plugins and other options to help deal with WebP, either by conversion or requesting sites offer another format and hoping some of them actually comply.
Websites serving images in WebP format, particularly those using Cloudflare's Image Optimization service, have become increasingly problematic for many users.
Google Chrome or Microsoft Edge
- Use Save Image as Type extension
Firefox
- about:config edit, "image.webp.enabled" setting change its value from true to false
- WebP image converter Firefox extension
- Don’t Accept image/webp extension
Internet Explorer
- IE gets JPEG because it doesn't support the WebP format and the server offered an alternative