mccDec 14, 2022
TIL: There is a cursed color in the Kodak ProPhoto RGB color space which, when converted to sRGB using pre-August-2020-Security-Update Android's image conversion routines, causes an integer overflow and a crash due to a rounding error. Some dude accidentally created an image (https://www.flickr.com/photos/gaurav_agrawal/48746079687/) which contains the cursed color on a single pixel. In 2020 if you set this image as your desktop on a Google or Samsung device, the device would brick & lose all onboard data https://www.youtube.com/watch?v=iXKvwPjCGnY
Prolific sunset at St Mary Lake, Glacier National Park

Flickr
Show threadmccDec 14, 2022
There was an actual IRL SCP / machine basilisk in the world and it remained effective for almost a year
Show threadmccDec 14, 2022
The most amazing part of the video is where the author is trying to figure out if the file was maliciously crafted so he recreates the image from scratch and accidentally kills his phone
Show threadmccDec 14, 2022
This is making me think about making an "irl-basilisks" Github repo containing the Excessively Loud Sunset, Janet Jackson's "Rhythm Nation" and a copy of the EICAR test file. Probably a bad idea because sometime in 2026 I'd wind up including "entirely innocuous image that incorrectly trips neural network CSAM scanners" and then I'd get banned from Github https://mastodon.social/@miah@hachyderm.io/109513848856267780
Show threadTim PantonDec 14, 2022

@mcc do you remember the cursed glyph combination that crashed any iPhone that tried to render it? Setting it as the title of a group chat zapped the whole group’s phones.
https://serhack.me/articles/crash-iphone-telugu-character-en/

You could use that in the repos name :-)

How to Crash the iPhone with a Single Telugu Character

Let’s take a look at the Telugu symbol “jñā” that causes Apple software to crash.

SerHack - Security Researcher
Show threadCraigDec 14, 2022
@mcc @steely_glint Ah, you just answered a question I’ve been lowkey carrying around for a few years — why we had a fuzz test that just spammed Telugu runes.
Show threadTim Panton
@craigm @mcc It really should have been in the readme...
Dec 14, 2022 at 8:59pmWeb
Show threadCraigDec 14, 2022
@steely_glint @mcc To be fair, I just never got around to asking any of our test automation leads about it, so it got filed in the “Huh, that’s an odd choice” brain bin until right now. 🙂
Show threadTim PantonDec 14, 2022
@craigm @mcc low, low key then.