A vulnerability in WhatsApp has been discovered that can be used to compromise user chat sessions, files, and messages in other words WhatsApp can be hacked by just sending a GIF Image. It wasn’t long ago when I shared how WhatsApp and Telegram were hacked by 1 Image and now we have another exploit this time it is executed by a GIF.
The security flaw, CVE-2019-11932, is a double-free bug found in WhatsApp for Android in versions below 2.19.244.
A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service.
Demo Video of WhatsApp GIF Hack
WhatsApp GIF Attack Vectors
WhatsApp GIF hack can be executed by two ways
- Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and creates a malicious GIF file that results in code execution in WhatsApp. This allows the malware app to steal files from WhatsApp sandbox including message database.
- Remote code execution: Pairing with an application that has a remote memory information disclosure vulnerability, The attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker as WhatsApp tries to convert media files into MP4 and that would make your malicious GIF useless). As soon as the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context.
WhatsApp on Latest Android is Hackable
Android versions 8.1 and 9.0 are exploitable, while the older versions are not. The researcher says that the double-free bug could still be triggered in older OS versions but a crash occurs before any malicious code can be executed to execute a RCE.
Malicious GIF which Hacks WhatsApp
You just compile the code in this repo. The address of
system() and gadget must be replaced by the actual address found by an information disclosure vulnerability which you need to find out on your own using other techniques before the GIF would do any RCE for you.
Once you compile the code mentioned in above link, you copy the content into a GIF file and send it as Document with in WhatsApp to another WhatsApp user. Remember not to send it as a Media file, otherwise WhatsApp tries to convert it into an MP4 before sending. Upon the user receives the malicious GIF file, nothing will happen until the user open WhatsApp Gallery to send a media file to his/her friend.
Facebook acknowledged the security issue and has patched the problem in WhatsApp version 2.19.244. Although Facebook tried to make it seem as if its not a huge exploit while in reality it is a pretty nasty one. As always always keep your apps updated and do not install unnecessary app.