WhatsApp vulnerability allows hackers to use GIFs to view your chat logs
A Singapore-based researcher has discovered a flaw which could allow hackers to view a user’s entire WhatsApp chat history by sending a corrupt GIF.
A vulnerability in WhatsApp for Android may allow hackers to see a user’s entire chat log by sending them a GIF.
Singapore-based researched Awakened wrote in a Github blog post detailing the security hole, including a demonstration which shows the steps needed to trigger the double-free vulnerability on Android devices.
The attack begins when a threat actor sends a corrupted GIF file to the intended victim. Once the recipient opens their own WhatsApp gallery via the ‘paper clip’, they have inadvertently triggered the double-free bug, even if they don’t necessarily click into any GIFs in the gallery. Once the bug is triggered, the hacker can see everything in the WhatsApp sandbox, allowing them access to the message database.
According to Awakened, the exploit works well up until WhatsApp version 2.19.230. The researcher very dutifully reached out to Facebook, which owns WhatsApp, to inform it of the vulnerability, which has ow been officially patched as of WhatsApp version 2.19.244. Awakened is urging all WhatsApp users to immediately update to this version of the software in order to stay safe from the bug.
Siliconrepublic.com has reached out to representatives of Facebook for comment, though as of time of publication it has not responded.
Yesterday (07 October), we also reported on a zero-day vulnerability affecting 18 different models of Android-enabled smartphones that can allow hackers to assume total control of the devices.
Members of Google’s Project Zero research team derestricted the technical details of the vulnerability after waiting a requisite period of time after reporting the vulnerability to Android teams.
According to Project Zero researcher Maddy Stone, the exploit is being actively used by either by cyber intelligence company NSO Group or one of its customers, which NGO has roundly denied.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Various Samsung Galaxy phones and two different Xiaomi phones were listed as being vulnerable.