Update: A WhatsApp spokesperson has since addressed the GIF vulnerability in an email to TNW. You can peruse its statement at the bottom of the piece.
Update 2: Awakened, the researcher who discovered the vulnerability, has disputed WhatsApp’s claims that the exploit only works if “a user takes action to send a GIF.” He has also provided TNW with a demo that shows the attack in action. Head to the bottom of the piece to take a peek.
You better update WhatsApp right now. A researcher has discovered a nasty vulnerability in the Facebook-owned privacy-oriented messenger that made it possible to for attackers to gain access to your files and messages — by using malicious GIFs.
The danger stems from a double-free bug in WhatsApp, according to a researcher going by the nickname Awakened. For those unfamiliar with the term, a double-free vulnerability refers to a memory corruption anomaly that could crash an app, or worse — open up an exploit vector that attackers can abuse to obtain access to your device. All it takes to perform the attack is to craft a malicious GIF, and wait for the user to open the WhatsApp gallery.
In a technical write-up on GitHub, the researcher explains the flaw resided in WhatsApp’s Gallery view implementation, which is used to generate previews for images, videos, and GIFs.
The exploit seems to affect primarily Android devices. “The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below,” Awakened writes. “In the older Android versions, double-free could still be triggered. However, […] the app just crashes before reaching to the point that we could control the PC register.”
The researcher has already notified Facebook of this shortcoming, and the company has since fixed the issue. To protect yourself against the exploit, you should download the latest version of the app.
“Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. WhatsApp users, please do update to latest WhatsApp version (2.19.244 or above) to get rid of this bug,” the researcher urged users in his blog post.
Not a first for WhatsApp
This is hardly the first time WhatsApp has dealt with potentially harmful flaws in its software.
Earlier this year, the Financial Times reported a vulnerability in the messaging app allowed attackers to slip in spyware on users’ devices. WhatsApp rushed to fix the issue, but did not clarify how many users were affected by this loophole.
More recently, researchers found a kink in WhatsApp that made it possible to manipulate or spoof messages.
It remains unclear if attackers were able to exploit the double-free vulnerability in the wild, but we’ve reached out to Facebook for a clarification, and will update this piece accordingly if we hear back.
For a more technical breakdown of the now-patched exploit in WhatsApp, head to this page.
Update October 2, 16:20UTC: In an email to TNW, WhatsApp said the company has no reason to believe the bug affected any users.
“The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device.” a WhatsApp person told TNW. “It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.”
We incorrectly suggested a hacker can exploit the loophole by sending GIFs. Instead, an attacker would have to trick a user into sending a malicious GIF to successfully perform a remote code execution. We have updated to reflect that.
Update October 2, 18:35UTC: Awakened, the researcher who initially disclosed the vulnerability, has since disputed WhatsApp’s claims that a hacker can only pull off the exploit if a “user takes action to send a GIF.”
“I would say that the above claim is not correct,” the researcher said in an email to TNW. “The spokesperson must have misunderstood the issue.”
Awakened has since updated his post with a proof-of-concept footage as well as the steps necessary to reproduce the attack. You can see the demo below: