WebAssembly is bringing more and more applications to the internet. However, many web apps that use WebAssembly have vulnerabilities. We have investigated the risks to users and developed an analysis tool to make these apps safer.

In addition to HTML, CSS, and JavaScript, WebAssembly (Wasm) has now established itself as the "fourth language" of the web and is supported by all major browsers. The technology allows programs to be developed in languages such as C, C++, Go, or Rust and then run as WebAssembly modules in the browser with minimal performance loss. Many popular web apps, including twitch.tv, Google Earth, Adobe Photoshop, and Zoom, now take advantage of this benefit.

However, the technology also poses security risks, as shown by our joint study with the TU Braunschweig. We analyzed nearly 38,000 domains on the web and found that more than 77% of these domains transmit data to apps without adequately checking the sources.

We see this practice as a significant security risk. If a WebAssembly module contains errors, hackers can exploit these vulnerabilities and inject malicious code into users' browsers over the internet.

To reduce this risk, we developed the analysis tool Wemby. Wemby detects memory errors in WebAssembly modules within the browser. Compared to previous methods, the tool analyzes more code in significantly less time.

Using Wemby, we discovered, among other things, a security vulnerability in Zoom that could be exploited through manipulated video data. The affected providers have been informed so they can take appropriate protective measures.

In June 2025, the researchers will present the results of their work at the Software Engineering Conference ISSTA in Trondheim (Norway).