It is not "fear", it is field experience.JSON has proven to be a bug generator for the reasons already stated.
The C++/Java/Python protocol buffer implementations are used by Google for all internal inter-server communication. Any similar exploit in them would result in total bypass of their entire internal security and auditing system by allowing you to run code as any user. The Google security team is very good, the protobuf code is carefully reviewed and the format is relatively constrained. The chances of there being any security problems in the parsing code generated by the protobuf compilers is drastically smaller. As BIP70 requests are parsed by security sensitive code, this matters.The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.
"The SCIMP protocol encodes messages as JSON objects, which are then transmitted to the remote party over XMPP," Dowd explained to The Register. "The flaw I discovered occurs during the deserialization of these JSON objects. It is a type confusion vulnerability, which when exploited allows an attacker to overwrite a pointer in memory, either partially or in full. This pointer is later manipulated by the program and also the system allocator, allowing you to do things such as pass arbitrary pointers to free()."