Internet Security Blog - Hackology
WhatsApp GIF Hack

Hacking WhatsApp with GIF Image



A vulnerability in WhatsApp has been discovered that can be used to compromise user chat sessions, files, and messages in other words WhatsApp can be hacked by just sending a GIF Image. It wasn’t long ago when I shared how WhatsApp and Telegram were hacked by 1 Image and now we have another exploit this time it is executed by a GIF.

The security flaw, CVE-2019-11932, is a double-free bug found in WhatsApp for Android in versions below 2.19.244.

A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service.

Demo Video of WhatsApp GIF Hack

WhatsApp GIF Attack Vectors

WhatsApp GIF hack can be executed by two ways

  1. Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and creates a malicious GIF file that results in code execution in WhatsApp. This allows the malware app to steal files from WhatsApp sandbox including message database.
  2. Remote code execution: Pairing with an application that has a remote memory information disclosure vulnerability, The attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker as WhatsApp tries to convert media files into MP4 and that would make your malicious GIF useless). As soon as the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context.
Must Read:  [PoC] WinRAR Vulnerability Actively Exploited by Hackers

WhatsApp on Latest Android is Hackable

Android versions 8.1 and 9.0 are exploitable, while the older versions are not. The researcher says that the double-free bug could still be triggered in older OS versions but a crash occurs before any malicious code can be executed to execute a RCE. 

Malicious GIF which Hacks WhatsApp

You just compile the code in this repo. The address of system() and gadget must be replaced by the actual address found by an information disclosure vulnerability which you need to find out on your own using other techniques before the GIF would do any RCE for you.

Once you compile the code mentioned in above link, you copy the content into a GIF file and send it as Document with in WhatsApp to another WhatsApp user. Remember not to send it as a Media file, otherwise WhatsApp tries to convert it into an MP4 before sending. Upon the user receives the malicious GIF file, nothing will happen until the user open WhatsApp Gallery to send a media file to his/her friend.

Conclusion

Facebook acknowledged the security issue and has patched the problem in WhatsApp version 2.19.244.  Although Facebook tried to make it seem as if its not a huge exploit while in reality it is a pretty nasty one. As always always keep your apps updated and do not install unnecessary app.

2 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.



Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Brave Browser Message

Pin It on Pinterest

Shares
Share This