WhatsApp users may have been targeted by hackers through malicious GIFs. This bug let hackers gain access to user’s data on the app
WhatsApp was recently affected with a double-free bug that allowed hackers to gain access to user data through malicious GIFs. WhatsApp has since patched the bug with the latest version of the app.
This bug was discovered by information security enthusiast 'Awakened' who posted the details on GitHub. According to the post, hackers could get inside someone's phone by sending malicious GIF files to the user. The GIF file should however be sent as a document and not as a media file for the bug to work. Once the corrupted GIF is received, the bug is triggered through WhatsApp's Gallery folder.
The researcher notes that just opening the WhatsApp Gallery to send images or videos is enough to trigger the bug. Even if the user doesn't send any file the bug will still be activated giving hackers remote access. WhatsApp's Gallery folder shows a preview of images, videos and GIFs received on the app. Since the media file including the malicious GIF is already downloaded and previewed, the bug will be triggered.
The researcher further explains that this bug works well on phones running Android 8.1 and Android 9 versions. In Android versions below Android 8.0 the bug can still work but it fails to register as the app will simply crash before completion of the hack.
Facebook after being informed of the hack fixed the bug in WhatsApp version 2.19.230. It even responded to the discovery through a statement to The Next Web - "The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device." a WhatsApp person told TNW. "It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users."
The researcher then replied saying that WhatsApp's claim isn't correct and even shared a demo of how the bug can be triggered.