A security researcher this week posted details on a new remotely exploitable vulnerability in WhatsApp that attackers could leverage via a malicious GIF image to steal messages, video, audio, and other content from devices running the app.
The disclosure on GitHub, by a researcher using the handle "Awakened," is the second critical vulnerability involving WhatsApp in recent months, suggesting that secure messaging apps are not as secure as many users might perceive. In May, Facebook, which owns WhatsApp, warned about an attacker — thought to be a private company working on behalf of a government — exploiting a security flaw on WhatsApp to spy on human right organizations.
In the latest case, the bug impacts WhatsApp for Android versions 2.19.230 and before on devices running Android 8.1 and 9.0 devices. Facebook has acknowledged the issue and patched it in the latest WhatsApp version 2.19.244.
The bug does not exist in WhatsApp itself but rather in an open source library that the application uses to parse media files. The so-called double-free vulnerability (tracked as CVE-2019-11932) stems from how memory is allocated when GIF images are parsed in WhatsApp. A double-free vulnerability involves an app calling the same memory space on a device twice, resulting in a memory leak.
Ashlee Benge, threat researcher at ZeroFox, says one likely exploitation scenario involves an attacker sending a potential victim a malicious GIF file.
If the attacker's phone number is in the recipient's contacts — which could happen via social engineering, for instance — the GIF file could be downloaded to the recipient's device without any kind of user ..
Support the originator by clicking the read the rest link below.
