WhatsApp probably is the reason why many use smartphones. The smooth and fast messaging application has connected families, friends and businesses like never before and in process has nearly replaced a number of outdated technologies such as SMS, expensive international calls and shaky video calls on a number of other applications.
A lot of important and private data passes through this app every minute. That said, a recent research shows that this app is vulnerable to attacks – especially through malicious GIFs by hackers who can exploit your personal information.
Even though WhatsApp boasts of its security features including the end-to-end encryption, the research suggests that there can be breaches and attacks from external sources.
Earlier this year, a bug was discovered in WhatsApp that lets hackers install spyware on devices. If that was not enough, this bug also gives access to the hackers to steal personal data by sending a malicious GIF. Android phones are more vulnerable to this when compared with their iOS counterparts.
The vulnerability can be used to compromise user chat sessions, files, and messages through malicious GIFs. The security flaw, CVE-2019-11932, is a double-free bug found in WhatsApp for Android in versions below 2.19.244, says the research report.
A double-free vulnerability is when the free parameter is called twice on the same value and argument in software. Memory may then leak or become corrupted, giving attackers the opportunity to overwrite elements. Such errors can lead to memory leaks, crashes, and the execution of arbitrary code.
In this case, the WhatsApp vulnerability was discovered by a researcher who goes by the handle ‘Awakened’ who created and used a malicious GIF file to trigger the vulnerability to perform a Remote Code Execution (RCE) attack.
Awakened explained the bug can be triggered in two ways. The first way requires that a malicious application is already installed on a target Android device and the app then creates a malicious GIF file used to steal files from WhatsApp by collecting library data. The second attack method requires that a user be exposed to a malicious GIF’s payload in WhatsApp either as an attachment or through other channels.
Android versions 8.1 and 9.0 are exploitable, but older versions of the operating system — Android 8.0 and below — are not. The researcher says that the double-free bug could still be triggered, but in older OS versions, a crash occurs before any malicious code can be executed to tamper with chat sessions.
‘Awakened’ has informed WhatsApp’s owner Facebook of its findings. The company has acknowledged the security issue and has patched the issue in WhatsApp version 2.19.244.
A WhatsApp spokesperson said that there have been no reports of the vulnerability being exploited in the wild and the problem was addressed last month. He added that the issue affects the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF. The issue would impact their own device, the company says. ‘Awakened’, however, has debunked the claim.