WhatsApp is the world's most used messaging platform that connects billions of people every day. The ubiquity of WhatsApp also makes it vulnerable to attacks from hackers. WhatsApp has often boasted about the security features of the platform but there have been reports about breaches and attacks. Earlier in the year, a WhatsApp bug was discovered that allowed hackers to install spyware on devices. Now, a new vulnerability has been discovered that compromises users' security and allows hackers to gain access to the phone and steal data by sending a malicious GIF file.
The vulnerability has been acknowledged by Facebook and has been patched in WhatsApp version 2.19.244. The company has asked users to update their WhatsApp messenger to the new version to stay safe from the bug. The security loophole was discovered by "technologist and information security enthusiast" Awakened on Github.
The new WhatsApp bug relies on an attacker sending the harmful GIF file to a user via any channel, including email or any other messaging platform. Once the GIF is on the device, the attack gets triggered by merely opening the media gallery within WhatsApp. "Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit," the security researcher explained.
The double-free bug calls the same memory address twice, resulting in a memory leak, which eventually crashes the app or opens the vulnerability. The vulnerability, however, has been patched for WhatsApp version 2.19.244 and works only till the version 2.19.230. "The exploit works well until WhatsApp version 2.19.230. The vulnerability is officially patched in WhatsApp version 2.19.244", said the researcher on Github. The exploit also doesn't work on older Android versions, including Android 8 and below.
Meanwhile, in a statement to The Next Web, WhatsApp said, "the issue affects the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF. The issue would impact their own device."
WhatsApp also confirmed that the bug "was reported and quickly addressed last month. We have no reason to believe this affected any users though of course, we are always working to provide the latest security features to our users."
Edited By: Udit Verma