A vulnerability in WhatsApp that can be used to compromise user chat sessions, files, and messages through malicious GIFs has been disclosed.
The security flaw, CVE-2019-11932, is a double-free bug found in WhatsApp for Android in versions below 2.19.244.
A double-free vulnerability is when the free() parameter is called twice on the same value & argument in software. Memory may then leak or become corrupted, giving attackers the opportunity to overwrite elements.
Such errors can lead to memory leaks, crashes, and the execution of arbitrary code.
In this case, as described by researcher "Awakened" who found the issue, all it took to trigger the vulnerability and perform a Remote Code Execution (RCE) attack was the creation of a malicious GIF file.
According to the researcher's technical writeup on GitHub, the bug can be triggered in two ways. The first, which leads to local privilege escalation, requires a malicious application to already be installed on a target Android device. The app then generates a malicious GIF file used to steal files from WhatsApp through the collection of library data.
The second attack vector requires a user to be exposed to the GIF payload in WhatsApp as an attachment or through other channels. (If a GIF is sent directly through WhatsApp's Gallery Picker, however, the attack will fail.) Once the Gallery View is opened in the messaging application, the GIF file will be parsed twice and trigger a remote shell in the app, leading to successful RCE.
Android versions 8.1 and 9.0 are exploitable, but older versions of the operating system -- Android 8.0 and below -- are not. The researcher says that the double-free bug could still be triggered, but in older OS versions, a crash occurs before any malicious code can be executed to tamper with chat sessions.
The security researcher informed Facebook of their findings. The social media giant acknowledged the security issue and has patched the problem in WhatsApp version 2.19.244.
A WhatsApp spokesperson told The Next Web that there have been no reports of the vulnerability being exploited in the wild and the problem was addressed last month.
The company representative added that "this issue affects the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF. The issue would impact their own device."
However, Awakened has disputed the idea that the bug can only be triggered by a victim sending the GIF, saying, "the claim is not correct [...] the spokesperson must have misunderstood the issue."
It is recommended that WhatsApp users accept automatic updates to their software to stay protected.
In August, Check Point unveiled vulnerabilities in WhatsApp which could be used to intercept and tamper with messages, to change the identities of senders, and to send messages labeled as private but actually made available to public groups.
Previous and related coverage
- WhatsApp Payments coming to India later this year
- Facebook, Instagram, and WhatsApp repaired without a real explanation
- WhatsApp vulnerabilities 'put words in your mouth,' lets hackers take over conversations
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0