A researcher has discovered a flaw in WhatsApp which is allowing hackers to breach the privacy of users and steal their data. The researcher, named “Awakend”, found a double-free bug in the app.
In a double-free bug a file, which is named “free() free()”, will cause memory corruption that can crash applications and make way for hackers by opening a path to steal data. In this case, all the hacker needs to do is modify a GIF to make it malicious, send it to users and wait for them to open the WhatsApp gallery.
The bug is allowing hackers to steal data including messages, video, audio, and other files with the help of a malicious GIF image file. In the month of May, Facebook issued a warning of an attacker. Facebook thought the attacker is a private company working for a government which is taking advantage of a security flaw on WhatsApp to snooping on human right organizations.
Awakend wrote a write up and published that on GitHub, in the article he explains that the issue sits in the view application of WhatsApp gallery. He wrote,
“The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below, in the older Android versions, double-free could still be triggered. However, the app just crashes before reaching the point that we could control the PC register. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. WhatsApp users, please do update to the latest WhatsApp version (2.19.244 or above) to get rid of this bug.”
WhatsApp, while talking to The Next Web, said “that there were no reports of any attacks on users exploiting this vulnerability,” and that “this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device.”
This is not the first time hackers have attacked whatsapp, few months ago a malware attacked the whatsapp user and started replaces popular apps with fake ones and tricks the users, serving them advertisements according to cybersecurity researchers.