A new Webkit vulnerability was disclosed by Google’s Project Zero team. Although it’s too early to say if this could be leveraged for a future exploit on PlayStation consoles, early reports seem to confirm both the PS4 and PS5 are impacted, up to the latest firmwares. This still needs further verification at this point.
PS5 and PS4 Webkit Vulnerability
Google Project Zero team focus on Zero Day vulnerabilities on tools with a large audience. This includes Webkit, the web browser engine used in a vast majority of web browsers nowadays, including the ones used on PS4 and PS5.
Webkit vulnerabilities have been used in the past as an entry point for PS4 and PS5 exploits, including the recent PS5 Hack.
This new vulnerability was disclosed by Project Zero on 2023-Jan-13, and targets CSS functionality in Webkit, with a use-after-free bug.
![](https://i0.wp.com/wololo.net/wagic/wp-content/uploads/2023/01/webkit_CSSCrossfadeValue_vulnerability_ps5.jpg?resize=1024%2C591&ssl=1)
The Proof of Concept on the PS5 6.50 Browser
Not sure this impacts PS4/PS5 yet (someone needs to check) but potentially? https://t.co/VU5ECuLAUF
— Wololo (@frwololo) January 13, 2023
Webkit CSSCrossfadeValue::crossfadeChanged vulnerability apparently impacts PS4 10.01 and PS5 6.50
Zecoxao has asked people to test the vulnerability, and folks are reporting that “it works”, as the proof of concept (which can be found here) displays a “1”.
To be 100% transparent here, looking at the PoC I’m not entirely sure that showing “1” means a given browser is vulnerable, and I don’t know that anybody’s confirmed the expected behavior, so that will need to be double checked. To be sure, there are cases where a given system (e.g. my Chrome on Windows) doesn’t display anything, so at the very least there seems to be some different behavior involved, which, for the purposes of finding a vulnerability, is a good sign.
Echo Stretch has a video showcasing the PoC running on multiple systems:
You can test the vulnerability on your own console by going to http://es7in1.site/test.html. Again, at this point, I’m not sure anybody has confirmed 100% that displaying a “1” on the page (or not displaying it, for that matter), is proof that the system is vulnerable. I’ll update as soon as I have details on that.
If the vulnerability turns out to actually be something worth investigating, Sleirsgoevy will be looking into it, according to Zecoxao.
i think the almighty @sleirsgoevy will work on the webkit meme. stay tuned!
— Control_eXecute (@notzecoxao) January 14, 2023