A “double-free” bug in WhatsApp lets attackers exploit it using a malicious GIF to access user content, according to a blog post by a self-described technologist and information security enthusiast that goes by the handle Awakened on GitHub.
An attacker would need to send the GIF via a messaging platform to a victim’s device where the vulnerability is exploited and allows access to content once the user opens the photo gallery to send any image.
“Upon the user receives the malicious GIF file, nothing will happen until the user open WhatsApp Gallery to send a media file to his/her friend,” Awakened wrote, noting that “the exploit works well until WhatsApp version 2.19.230” and that Facebook patched the vulnerability in version 2.19.244.
“The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below. In the older Android versions, double-free could still be triggered,” Awakened said. “However, because of the malloc calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.”
User risk has increased as “messaging applications have begun to automatically download media files prior to user interaction, in order to enhance user-experience,” said Ashlee Benge, Threat Researcher at ZeroFox. “In addition to cases such as this, where a malicious GIF is downloaded without user consent, we often see hyperlink previews (popular on social media sites and messaging applications) abused to load malicious content.”
Users must “recognize that despite advertising, secure instant messaging is probably not as secure as you would think,” Benge said. “Although these types of vulnerabilities are generally patched as soon as they are discovered, it is important to be cognizant that secure messaging is not foolproof.”
