WhatsApp vulnerability allowed GIFs to be weaponised


It’s safe to go back to your gallery, thank God.

GIFS, USUALLY JUST a harmless substitute for originality, were temporarily smartphone-seeking missiles thanks to a now-patched vulnerability in Facebook-owned WhatsApp.

The bug, discovered by a researcher going by the name of Awakened, is what’s known as a double-free vulnerability, meaning it’s a weakness where the memory can be corrupted to crash apps or compromise the device’s security more generally. A weakness in WhatsApp meant that a hacker could simply create a malicious GIF, get it to the target and then wait for the target to open the WhatsApp gallery. 

The second step is, as you might imagine, a little tricky because a hacker couldn’t send it via WhatsApp gallery, or they’d end up hitting themselves in the process. The researcher notes an alternative is to send it as a WhatsApp document where it’ll be automatically downloaded if you’re a trusted contact.

Weirdly, this is the rare kind of situation where you’re actually safer with an older phone. “The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below,” writes Awakened in the technical write-up.

“In the older Android versions, double-free could still be triggered. However, because of the malloc calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.”

The bug is now fixed in the latest build of WhatsApp – that’s 2.19.244, version number fans – and Facebook says it’s unaware of anybody who fell foul to any evil GIFs. “It was reported and quickly addressed last month,” a WhatsApp spokesperson told The Next Web. “We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.”

For now, then, your WhatsApp gallery is safe to venture into once again, but you could always use this as an opportunity to use words instead of animations if you fancy. µ

Further reading



Source link

WP Twitter Auto Publish Powered By : XYZScripts.com
Exit mobile version