[dns_snek]

Does this count?

https://signal.org/blog/cellebrite-vulnerabilities/

> Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

But it was a product using a 9 year old ffmpeg build (at the time).

[brigade]

I'd still consider that an academic exercise rather than an exploit that was deployed in the real world (aka against a machine the attacker did not control)

[renewiltord]

Yeah, that’s just how life is. We used to run with Heartbleed and Spectre turned off.

[hulitu]

> Does this count?

If Signal relies on ffmpeg to play videos instead of an externall app, i would say it is broken by design.