A image is really worth a thousand text, but a GIF is well worth a thousand photos.
Currently, the small looping clips, GIFs are everywhere—on your social media, on your concept boards, on your chats, encouraging buyers completely convey their feelings, creating men and women chuckle, and reliving a spotlight.
But what if an innocent-wanting GIF greeting with Excellent morning, Content Birthday, or Merry Christmas information hacks your smartphone?
Very well, not a theoretical idea any more.
WhatsApp has not long ago patched a vital safety vulnerability in its application for Android, which remained unpatched for at the very least 3 months soon after staying found, and if exploited, could have authorized distant hackers to compromise Android equipment and potentially steal information and chat messages.
WhatsApp Distant Code Execution Vulnerability
The vulnerability, tracked as CVE-2019-11932, is a double-free of charge memory corruption bug that doesn’t truly reside in the WhatsApp code by itself, but in an open up-resource GIF image parsing library natively involved in Android OS and employed by WhatsApp.
Identified by Vietnamese security researcher Pham Hong Nhat in May this calendar year, the issue correctly sales opportunities to distant code execution assaults, enabling attackers to execute arbitrary code on targeted gadgets in the context of WhatsApp with the permissions the application has on the device.
“The payload is executed underneath WhatsApp context. As a result it has the permission to go through the SDCard and obtain the WhatsApp message databases,” the researcher advised The Hacker News in an electronic mail job interview.
“Destructive code will have all the permissions that WhatsApp has, like recording audio, accessing the camera, accessing the file method, as properly as WhatsApp’s sandbox storage that includes secured chat database and so on…”
How Does WhatsApp RCE Vulnerability Work?
WhatsApp takes advantage of the parsing library in dilemma to produce a preview for GIF data files when end users select them from their device’s picture gallery in advance of sending GIF messages to their pals or family.
So, to be noted, the vulnerability does not get induced just by sending a malicious GIF file to a target as an alternative it will get executed when the victim alone tries to send a malicious GIF stored in the gallery to another person.
All an attacker demands to do is deliver a specially crafted destructive GIF file to a targeted Android consumer by means of any on line conversation channel and hold out for the person to open up the image gallery in WhatsApp and select that destructive GIF file.
Nonetheless, if attackers want to send the GIF file to victims by means of any messaging system like WhatsApp or Messenger, they need to have to send out it as a document file alternatively than media file attachments, because picture compression applied by these companies distort the destructive payload concealed in illustrations or photos.
As proven in a proof-of-thought online video demonstration the researcher shared with The Hacker News, the vulnerability can eventually be exploited to merely pop-up a reverse shell remotely from the hacked product.
Vulnerable Applications, Products and Readily available Patches
Due to the fact the flaw originates from a indigenous Android library, the difficulty impacts WhatsApp versions 2.19.230 and older versions functioning on Android 8.1 and 9., but does not get the job done for Android 8. and down below.
“In the older Android variations, double-free could even now be induced. On the other hand, simply because of the malloc calls by the program soon after the double-absolutely free, the app just crashes just before achieving to the level that we could regulate the Personal computer sign-up,” the researcher writes.
Nhat advised The Hacker News that he reported the vulnerability to Facebook, who owns WhatsApp, in late July this calendar year, and the company provided a security patch in WhatsApp version 2.19.244 unveiled in September.
Hence, to secure by yourself against any exploit encompassing this vulnerability, you are encouraged to update your WhatsApp to the most current variation from the Google Perform Retail outlet as soon as doable.
Evidently, WhatsApp for iOS is not afflicted by this vulnerability.
The developer of the affected GIF library, termed Android GIF Drawable, has also unveiled model 1.2.18 of the software package to patch the double-totally free vulnerability.
Other than this, it is also feasible that any other Android app utilizing the identical affected library to parse GIF information could also be susceptible to comparable attacks.