It has been reported that a new bug has been disclosed; one that allows an attacker to use a malicious GIF image file to open a vulnerability in WhatsApp and potentially access user content. The bug was identified and shared by “technologist and information security enthusiast” Awakened on Github, with a detailed explanation of how it works. Essentially, the bug relies on an attacker pushing the malicious GIF file to the victim’s device through any channel. That could be WhatsApp or email or any other messaging platform. With the GIF on the device, when the victim opens the gallery within WhatsApp to send any image—not necessarily the malicious one—the hack triggers and the device and its contents become potentially vulnerable.
Vulnerabilities in mobile operating systems and mobile apps provide the opportunity for attackers to gain persistence on the device, install further malware and leak data. This is the second vulnerability affecting WhatsApp this year and Lookout frequently sees these types of flaws being exploited by attackers, one example being the Pegasus spyware developed by NSO group. It is critical that users update both device operating systems and mobile apps. Enterprise should ensure visibility into all OS and app versions in use, while having mobile security on the device as an effective mitigating backstop.
The WhatsApp vulnerability recently disclosed by Awakened has several classic characteristics.
First, this vulnerability shows how software depends on a complex interaction of components. The vulnerability stems from an image handling component, which depends on unusual behaviour in a memory allocator. Although this story is about WhatsApp, other software is likely to be vulnerable to the same memory allocator vulnerability. Tracking the software supply chain, as part of a secure software development lifecycle, will enable organisations to understand the interdependencies of software and minimise risk.
Second, the vulnerability shows how software can misbehave when presented with unexpected or malformed input. The memory allocator showed peculiar, exploitable behavior when asked to allocate 0 bytes of memory. Negative testing and fuzz testing during development of the memory allocator could have surfaced this behavior, allowing it to be fixed well ahead of release.
Finally, the vulnerability highlights the difficulty of describing software vulnerabilities accurately. This is not a vulnerability where an attacker can send a special GIF and take over your phone. An attacker would need first to exploit another vulnerability on your phone to gain insight into the memory layout; only then could a crafted GIF be sent that would result in system compromise, and even then, you would need to open the WhatsApp gallery before the exploit would be triggered.