WhatsApp chats can be hacked with a malicious GIF

News
By
published

Vulnerability can let hackers take over your device

(Image credit: Shutterstock.com)

A new vulnerability has been discovered in WhatsApp which leverages malicious GIFS to compromise user chat sessions, files and messages.

The security flaw, referred to as CVE-2019-11932, is a double-free bug that exists in WhatsApp for Android in all versions below 2.19.244.

A double-free vulnerability occurs when the free() parameter is called twice on the same value & argument in software. This kind of bug could lead to memory leaking or becoming corrupted and this gives an attacker the chance to overwrite elements or even execute arbitrary code.

The WhatsApp vulnerability was discovered by a researcher who goes by the handle “Awakened” who created and used a malicious GIF file to trigger the vulnerability to perform a Remote Code Execution (RCE) attack.

WhatsApp double-free vulnerability

In a technical writeup on GitHub, Awakened explained that the bug can be triggered in two ways. The first way requires that a malicious application is already installed on a target Android device and the app then creates a malicious GIF file used to steal files from WhatsApp by collecting library data.

The second attack method requires that a user be exposed to a malicious GIF's payload in WhatsApp either as an attachment or through other channels. However, if a GIF is sent directly through WhatsApp's Gallery Picker, the attack will fail. Once a user opens the Gallery View in WhatsApp, the GIF file will be parsed twice which will trigger a remote shell in the app and lead to RCE.

Android 8.1 and 9.0 are both exploitable using the flaw though versions of the OS below 8.0 are not. According to Awakened, the double-free bug can still be triggered in older versions of Android but a crash occurs before any malicious code can be executed.

The security researcher informed Facebook of the vulnerability which has since been patched in version 2.19.244 of WhatsApp. To prevent falling victim to this attack, it is highly recommended that all WhatsApp users update the app to the latest version.

Via ZDNet

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Woman shocked by online scam, holding her credit card outside
Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in News
Apple iPhone 16 Review
Three iPhone 17 model dummy units appear in a hands-on video leak
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
New Samsung Galaxy S25 Edge may have revealed some key details – including its price
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 9 (game #1140)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 9 (game #371)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 9 (game #637)
WhatsApp
WhatsApp just made its AI impossible to avoid – but at least you can turn it off
More about security
Woman shocked by online scam, holding her credit card outside

Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Cryptocurrencies

Ransomware’s favorite Russian crypto exchange seized by law enforcement
Lexar ARMOR GOLD and SILVER PRO

Almost indestructible memory card launched; Lexar's Armor SD steel cards are water resistant and can survive a 16-feet drop
See more latest
Most Popular
Lexar ARMOR GOLD and SILVER PRO
Almost indestructible memory card launched; Lexar's Armor SD steel cards are water resistant and can survive a 16-feet drop
IBM FlashSystem C200
'Writing is on the wall for spinning rust': IBM joins Pure Storage in claiming disk drives will go the way of the dodo in enterprises
Disney Imagineering BDX Droids at Disneyland Galaxy's Edge
The adorable BDX Droids are coming to more Disney Parks around the world, including Disney World
Orange servers and networks
Alibaba doubles down on RISC-V architecture with a new secretive 'server-grade' chip that will put AMD and Intel on alert
Apple iPhone 16 Review
Three iPhone 17 model dummy units appear in a hands-on video leak
Samsung Galaxy S25 Ultra HANDS ON
‘I don't see a space where the S Pen is not a key part of our portfolio’: Samsung executive defends the S Pen amid cancellation rumors
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 9 (game #371)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 9 (game #1140)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 9 (game #637)
Cunard Photo Book
Billions of cherished photos at risk; only a third of Americans back up their precious pics to the cloud