WhatsApp chats, messages, files vulnerable to hacks through malevolent GIFs

A security flaw has been revealed in WhatsApp which if exploited can help hijack chat sessions, messages as well as data files of users via sinister GIFs. The vulnerability, known as CVE-2019-11932, happens to be a double-free exploit discovered within WhatsApp to compromise Android phones of editions below 2.19.244.

The meaning of double-free exploit is referring to the 'free' aspect two times on software's value as well argument. Subsequently there maybe leakage of memory else it may become corrupt, enabling hackers to overwrite contents. The described errors can result in crashes, memory leaks as also running of random code. www.zdnet.com posted this, October 3, 2019.

On October 2, a security investigator using the handle "Awakened" uncovered and publicly disclosed the vulnerability. Awakened, through one technical essay, explained the activation of the bug on GitHub stating it could get triggered via dual methods. One, which necessitates certain malevolent app to be already loaded onto the target Android phone followed with the application subsequently crafting one rogue GIF file utilized for filching elements from WhatsApp with the aid of library data that has been duly collated.

The other method necessitates an end-user to encounter one sinister GIF payload within the free messaging service. The payload should arrive as one file attachment alternatively via other mediums. But, suppose one GIF gets dispatched straight away via the Gallery Picker of WhatsApp, there will be failed attack. And should the end-user click on WhatsApp's Gallery View, there'll occur two times parsing of the GIF that'll kick start one remote shell while result in an RCE (remote code execution).

The flaw is exploitable in both 8.1 and 9.0 versions of Android via their respective operating systems. Threat researcher Ashlee Benge from ZeroFOX Inc. a cyber-security company said in an interview by SiliconANGLE that WhatsApp like messaging apps had started pulling down media files even without user interaction for making user experience even better. However, there was also increase in risk for end-users. Apart from instances where sinister GIFs got pulled down devoid of user consent, there were frequently hyperlink previews which were exploited for installing malicious content, Benge noted.

» SPAMfighter News - 10/9/2019