Attention WhatsApp users! According to a recent research report, a serious security bug was recently found in the Facebook-owned instant messenger WhatsApp that could allow hackers to gain access to a device and steal data like photos and messages by using a malicious GIF file.
So, if you haven’t updated WhatsApp on your android smartphone recently; do it now to avoid the critical vulnerability which has been termed as the “double-free vulnerability” by the researcher.
The issue came into notice after a report was published in a blog post by a technologist and an information security enthusiast nicknamed Awakened on GitHub which explained how the double-free bug resided in WhatsApp‘s Gallery view implementation, which is used to generate previews for images, videos, and GIFs.
Awakened’s post also explained all the steps with a video demo as to how the bug can steal our data from the android phone: The steps are as below:
- 0:16: Attacker sends GIF file to the user via any channels
- One of them could be as Document via WhatsApp (i.e. pressing the Paper Clip button and choose Document to send the corrupted GIF)
- If the attacker is in the contact list of the user (i.e. a friend), the corrupted GIF is downloaded automatically without any user interaction
2. 0:24: User wants to send a media file to any of his/her WhatsApp friends. So the user presses on the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.
- Take note that the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.
3. 0:30: Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.
“The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below. In the older Android versions, double-free could still be triggered. However, […] the app just crashes before reaching the point that we could control the PC register,” Awakened said in his write-up.
However, WhatsApp has already fixed this issue in the v2.19.244 update. So the users should make sure to update the app to version 2.19.244 or above.
WhatsApp confirmed this as a WhatsApp spokesperson told The Next Web “The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF. The issue would impact their own device,”.
“It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course, we are always working to provide the latest security features to our users,” it added.