WhatsApp vulnerability allows hackers to use GIFs to view your chat logs

8 Oct 2019

Image: © PixieMe/Stock.adobe.com

A Singapore-based researcher has discovered a flaw that could allow hackers to view a user’s entire WhatsApp chat history by sending a corrupt GIF.

A vulnerability in WhatsApp for Android could allow hackers to see a user’s entire chat log by sending them a GIF.

Singapore-based researcher Awakened wrote a GitHub blog post detailing the security hole, including a demonstration that shows the steps needed to trigger the double-free vulnerability on Android devices.

The attack begins when a threat actor sends a corrupted GIF file to the intended victim. Once the recipient opens their own WhatsApp gallery via the ‘paper clip’, they can inadvertently trigger the double-free bug, even if they don’t necessarily click into any GIFs in the gallery. Once the bug is triggered, the hacker can see everything in the WhatsApp sandbox, allowing them access to the message database.

According to Awakened, the exploit works well up until WhatsApp version 2.19.230. The researcher reached out to Facebook, the owner of WhatsApp, to inform it of the vulnerability, which has now been officially patched as of version 2.19.244. Awakened is urging all WhatsApp users to update to this version of the software in order to stay safe from the bug.

Siliconrepublic.com reached out to representatives of Facebook for comment, but there was no response at the time of publication.

Android vulnerabilities

Yesterday (7 October), we also reported on a zero-day vulnerability affecting 18 different models of Android-enabled smartphones that can allow hackers to assume total control of the devices.

Members of Google’s Project Zero research team derestricted the technical details of the vulnerability, waiting a requisite period of time after reporting the vulnerability to Android teams.

According to Project Zero researcher Maddy Stone, the exploit is being actively used by either by cyber intelligence company NSO Group or one of its customers, although NGO has roundly denied this claim.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Various Samsung Galaxy phones and two different Xiaomi phones were listed as being vulnerable.

Eva Short was a journalist at Silicon Republic