The encrypted WhatsApp messaging platform is not flawless, and various reports this year have disclosed vulnerabilities in the app which can be exploited by attackers or which can leave users open to harmful consequences. These flaws have included sophisticated nation-state attacks, targeted hacking and misleading functionality.
Now a new bug has been disclosed, one that allows an attacker to use a malicious GIF image file to open a vulnerability in WhatsApp and potentially access user content. The bug was identified and shared by “technologist and information security enthusiast” Awakened on Github, with a detailed explanation of how it works.
It’s complex—but essentially the bug relies on an attacker pushing the malicious GIF file to the victim’s device through any channel. That could be WhatsApp or email or any other messaging platform. With the GIF on the device, when the victim opens the gallery within WhatsApp to send any image—not necessarily the malicious one—the hack triggers and the device and its contents become potentially vulnerable.
“WhatsApp users,” Awakened warns in his blog, “please do update to latest WhatsApp version (2.19.244 or above) to stay safe from this bug.”
From a technical perspective, the attack relies on a so-called double-free bug, where the same memory address on the device is called twice, pushing memory allocation into an unexpected spin, which either crashes the app or opens the vulnerability. Replicating an attack using the bug does not seem to be entirely reliable, and affects different versions of operating system software in different ways, but a bug is a bug and once identified can be developed and expanded upon.
WhatsApp told The Next Web in a statement that there were no reports of any attacks on users exploiting this vulnerability, and that “this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device.”
As Awakened then pointed out, “I would say that the above claim is not correct. The spokesperson must have misunderstood the issue.”
What he means is that although there is some action on the victim’s side required—opening the gallery within WhatsApp, this is a run of the mill activity and not one that would arouse suspicion. As long as the attacker has planted the image on the device—through any channel—the vulnerability can be exploited.
WhatsApp also confirmed to TNW that the bug “was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.”
The bug has been identified and patched—the specifics of how it’s exploited matter less now than ensuring that users update to the latest version of the app. And while this only seems to impact Android devices, that advice to update is universal. Once a vulnerability reaches the public domain, there is always a risk of it being used—would-be attackers are well aware of the inertia that sees many users update apps much more sporadically than is healthy for their data security.
For WhatsApp and “secure” messaging in general, this is another timely reminder that nothing is ever 100% safe and secure, exploits have been found and used. There is no silver bullet for this, other than exercising caution with what’s installed and downloaded, and keeping systems and apps updated.