A researcher has released details of a WhatsApp remote code execution (RCE) flaw it is claimed could be used to compromise not only the app but the mobile device the app is running on.
Reported to Facebook some weeks ago by a researcher called ‘Awakened’, the critical issue (CVE-2019-11932) affects users of the Android versions of the app, specifically versions 8.1 and 9.0 although not, apparently, version 8.0 (Apple’s iOS doesn’t appear to be affected).
It’s described as a double-free memory vulnerability in a WhatsApp image preview library called
libpl_droidsonroids_gif.so, and some aspects of how it might execute remain unclear.
The researcher says an attack would involve first sending a malicious GIF image using any channel, that is by email, a rival messaging app, or sent direct through WhatsApp itself.
If WhatsApp is being used, and the attacker (or hapless intermediary) is on the contacts list of the user as a friend, apparently this GIF would download to the device automatically.
Execution would happen when the recipient subsequently opens the WhatsApp Gallery even if no file is selected or sent. Writes Awakened:
Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.
To back this up, Awakened has released a video showing the sequence of events running on WhatsApp v2.19.203.
This shows the exploit giving an attacker full reverse shell with root and complete access to all the files on that device, its SD Card, and what appears to be the WhatsApp message database.
As mobile vulnerabilities go, this one looks like the keys to the castle. TNW’s report quotes someone from Facebook as responding:
It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.
The company has also claimed that the exploit requires the user to have sent a malicious GIF themselves – something Awakened disputes. Having studied the video proof of concept, it looks more likely that Awakened is correct.
Time to worry?
Assuming users running affected Android versions have updated recently – this should happen automatically via the Play Store – the answer is no.
The WhatsApp version that patched the bug is 2.19.244, which appeared in early September.
More bothersome is that such a thing is possible at all. App exploits giving attackers control over a mobile device aren’t exactly thick on the ground even if WhatsApp itself has suffered the odd security flaw in recent times.
These include May’s report of a zero-day vulnerability that an “advanced cyber actor” had been exploiting to spy on a select group of WhatsApp users.
An even better fit might be a flaw discovered in October 2018 by Google that could have been used to compromise a user’s Android or iPhone device simply by getting them to answer a call.
Many of WhatsApp’s 1.5 billion users choose the software due to its privacy and security. These flaws a reminder that the feature list doesn’t include invulnerability.