It is again high time that you should consider updating your WhatsApp. According to a report published by a security researcher, a bug on Facebook’s instant messaging platform could allow hackers to steal your files and messages — by using malicious GIFs.
The security researcher going by the name “Awakening” published a report on GitHub detailing the nitty-gritty details on the exploit.
The bug emanates from a double-free flaw in WhatsApp, according to the report. For the uninitiated ones, double-free bug refers to a memory corruption aberration which could crash an app or worse open a backdoor which could be capitalized on by hackers to gain access to your device.
The report details that the bug could have resided in WhatsApp‘s Gallery view implementation, a feature that helps generate previews for images, videos, and GIFs. The flaw could be capitalized on by a hacker by merely creating a malicious GIF then wait for the user to open their gallery.
The reported bug only works for Android 8.0 and Android 9.0 Pie, but older versions or Android seem to be lucky on this one.
“In the older Android versions, double-free could still be triggered. However, […] the app just crashes before reaching to the point that we could control the PC register,” Awakening wrote in the report.
The issue was reported to the company, and Facebook has since patched the bug. See, no need to worry if you have already updated your WhatsApp to at least version 2.19.244 or above.
In response to the matter, a WhatsApp spokesperson stated, “The key point that the [vulnerability disclosure] makes is that this issue affects(sic) the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF.”
“The issue would impact their own device. It was reported and quickly addressed last month.” Although the company believes there were no victims of the said vulnerability.
Later on, Awakening disputed the company’s claims that an attacker could deploy the exploit if a “user takes action to send a GIF.” He further provided a proof-of-concept. “The spokesperson must have misunderstood the issue,” he wrote to TNW.