WhatsApp is the most popular messaging app in the market. And for that, any potential issue should be addressed and resolved quickly.
According to a researcher that goes with the nickname Awakened, a WhatsApp vulnerability allowed hackers to gain access to users' files and messages, by using malicious GIF images. The cause stems from a a 'double-free bug' in WhatsApp.
A double-free bug refers to a memory corruption anomaly that could crash an app.
But that could be worse, as it can also open an exploit vector for hackers to abuse the system, and obtain access to victims' device and its data.
All the hackers needed to do, is to just craft and send a malicious GIF, and wait for the victim to open it.
In a detail explanation on GitHub, Awakened said the flaw that resided in WhatsApp‘s Gallery view implementation, which is used to generate previews for received images, videos, and GIFs.
The bug which seemed to affect primarily Android devices, "works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below,” Awakened wrote.
"In the older Android versions, double-free could still be triggered. However, […] the app just crashes before reaching to the point that we could control the PC register."
Awakened has notified Facebook as the owner of WhatsApp, and the company has since fixed the issue.
"Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. WhatsApp users, please do update to latest WhatsApp version (2.19.244 or above) to get rid of this bug," said Awakened.
What should be noted here is that, it took Whatsapp quite a while before releasing the patch.
Initially when contacted by Awakened, WhatsApp said that it has no reason to believe that the bug affected any of its users.
"The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device." said a WhatsApp spokesperson.
"It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users."
This statement was disputed by Awakened, by providing a demo that showed the attack in action.
"I would say that the above claim is not correct,” Awakened said. "The spokesperson must have misunderstood the issue."
With a proof-of-concept footage as well as Awakened in providing the steps necessary to reproduce the attack, WhatsApp has since addressed the GIF vulnerability.
Previously, researchers found a bug in WhatsApp that allowed hackers to manipulate or spoof messages. Then there was the WhatsApp bug that allowed hackers to slip in spyware to victims' devices.