Recently, a researcher going by the name ‘Awakened’ discovered a vulnerability in WhatsApp which stems from the double-free bug in the app. For those who don’t know, a double-free bug is a memory corruption issue that can crash apps and make way for hackers by opening an exploit vector to steal data. All the hacker needs to do is modify a GIF to make it malicious, send it to the victim and wait for him/her to open the WhatsApp gallery.
The researcher published the technical write up on GitHub where he explains that the issue sits in the view implementation of WhatsApp gallery.
The exploit, however, does not affect all versions of WhatsApp and Android. The researcher had this to say in his blog post:
The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below, in the older Android versions, double-free could still be triggered. However, the app just crashes before reaching the point that we could control the PC register.
Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. WhatsApp users, please do update to the latest WhatsApp version (2.19.244 or above) to get rid of this bug.
If we look back, this is not the first time we have seen WhatsApp’s harmful flaws surface. Earlier this year, a WhatsApp vulnerability that allowed hackers to slip spyware in the user device was reported. Before that in October 2018, Google’s project zero bug-hunting team reported a WhatsApp’s vulnerability that allowed hackers to seize an account by just placing a video call.
The security researcher informed Facebook of the vulnerability which has since been patched in version 2.19.244 of WhatsApp. To prevent falling victim to this attack, it is highly recommended that all WhatsApp users update the app to the latest version.