WhatsApp alert: A security bug has been reportedly found in WhatsApp that allows an attacker to potentially access user content and steal data by using a malicious GIF image file.
WhatsApp alert: Popular messaging platform WhatsApp boasts of encrypted communication that keeps chat and calls secure, keeping any third party or even WhatsApp from accessing them. But the latest WhatsApp security flaw has revealed that the Facebook-owned app too faces security issues and might not be as safe as it appears.
A security bug has been reportedly found in WhatsApp that allows an attacker to potentially access user content and steal data by using a malicious GIF image file. The danger crops from a double-free bug in WhatsApp that was identified and shared by “technologist and information security enthusiast” Awakened on Github with a detailed explanation of how it works.
A double-free bug is a memory corruption anomaly that could lead the app to crash or open up an exploit vector. The attackers can exploit the threat to gain access to the user’s device.
The latest WhatsApp flaw resides in Gallery where previews of photographs, videos and GIFs are generated. The vulnerability can be pushed through a malicious GIF file to the victim’s phone through WhatsApp or email or any other messaging platform. With the GIF planted on the device, when the victim opens the gallery within WhatsApp to send any image the hack triggers and the device and its contents become potentially vulnerable.
All it takes to perform the attack is to craft a malicious GIF, and wait for the user to open the WhatsApp gallery, according to Awakened’s post on GitHub. “The exploit works well until WhatsApp version 2.19.230. The vulnerability is officially patched in WhatsApp version 2.19.244,” the researcher wrote.
The bug works for Android 8.1 and Android 9.0 OS but does not work for Android 8.0 and below.
WhatsApp said that the bug was fixed last month and it had “no reason to believe” that the bug affected anyone. “The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device,” a WhatsApp spokesperson told The Next Web.
“It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.”
However, Awakened, the security researcher, has disputed the claim made by WhatsApp and asserted that the security flaw still exists. He submitted a proof-of-concept video to back his claim to The Next Web.