Google’s annoying and unwanted .webP image format has a massive critical security hole in its key libwebp module. The hole, according to one of Google’s belated later announcements, is… “much wider than initially assumed, affecting millions of different applications worldwide.”
Following this debacle, some immediate options:
Your PC’s image viewer:
The popular IrfanView doesn’t appear to have updated for a year now, but it can be fixed by downloading this .dll from the official IrfanView PlugIns page…
Unzip and then copy the .dll in your Irfanview plugins folder. Then you get back the ability to open the format safely. Both the file date and version number show the WebP.dll to be the new fixed version. The Google alerts confirm that libwebp 1.3.2 is fixed and safe.
Ok, that’s the PC’s local viewer fixed.
Python?
Yes, if your software uses the widely-used Python module Pillow (aka PIL) 10.0.0 or lower for image processing, then you likely need this fix.
Get a safe new compiled libwebp.dll:
libwebp.dll at DLLme.com compiled and in its new libwebp 1.3.2 version. If a local filename search for webp reveals that your fave software requires this for some reason. Backup the old dll, replace with this one, see if the software still works.
The Google car-crash continued a few days later with the same risk found in the video component libvpx — so you may also want to search and delete this. I found it only in the OpenShot video editor and the VLC video player.
Ok, with that done… on to the “nuke from orbit” options.
Browser blocking:
Block most .WebP files using the uBlock Origin browser add-on. Go: Dashboard | My Filters and add…
! Block most .WEBP images, everywhere
||www.*/*.webp
||www.*/*/*.webp
||http://*.*/*.webp
||http://*.*/*/*.webp
||https://*.*/*.webp
||https://*.*/*/*.webp
Block all animated .webP files:
If you already have a trusty animated GIF Blocker addon, then the additional GIF Blocker addon can block animated .webP files wherever they come from. Set it to just do this, and it should not interfere with your regular .GIF blocker…
It’s now just a .webP blocker. At first I thought it was only for the animated type, but on testing I find it also blocks stills provided they’re not already in the browser cache. Regrettably the addon has no whitelist, so you can’t automatically turn if off on trusted sites.
Firefox & Co.:
Doesn’t appear to be affected, but I read that it can block webP at the browser level. In Firefox you edit in the…
about:config
And set…
image.webp.enabled -> false
In the worthy and already-fixed Palemoon browser (still valid for Windows 7), to block this file-type you edit in the…
about:config
image/webp,image/jxl,image/png,image/*;q=0.8,*/*;q=0.5
This line has Palemoon tell the server that it ‘can show webP, so send webP’.
Edit to this and then exit about:config…
image/jxl,image/png,image/*;q=0.8,*/*;q=0.5
Now a Web server may think your Palemoon browser can’t handle .webP images. Some servers will apparently ignore this, though.
Chrome based browsers:
They’re updated with fixes. But you can do the same thing with the headers as above, in Opera, Vivaldi, Edge. By installing a “modify headers” addon. But most require some complex wrangling.
Again, some servers will apparently ignore this, and send the images anyway. There’s a WebP / Avif image converter addon for Chrome based browsers, which will let you save them locally as .png files.
Spoofing:
Apparently spoofing the browser type (i.e. pretending to be an older non-webP browser) has no effect.
WordPress:
In a hosted WordPress install, you may want the “Disable WebP By Default” plugin, so you’re not annoying your visitors with this unwanted image type…
This disables WordPress’s ability to merrily create many zillions of smaller .webP image versions of your image uploads.
This plug-in is also here at WordPress.org if you want to inspect before you install.
Testing your blocking:
The official WebP Gallery at Google.
That’s it.
2D digital art and painting 