Do you use Whatsapp on an Android device?
If so, you’ll want to upgrade to the latest version as soon as possible.
Recently, a critical vulnerability being tracked as ‘CVE-2019-11932’ was discovered that allows hackers to gain access to your chat logs and personal information by sending you a poisoned GIF.
The flaw is called a “Double-free vulnerability” because it’s triggered when the free() parameter is called twice on the same value and argument inside the software. When this happens, it causes memory in use to leak and become corrupted, opening the door to the execution of arbitrary code by a determined hacker.
The issue was discovered by an independent security researcher who goes by the name “Awakened.” While his or her true identity is unknown, they published the technical specifications of the attack on GitHub, which revealed that the bug can be triggered in two ways.
The first way requires a piece of malware code to be injected on a target Android device. This software generates a poisoned GIF which is used to hack Whatsapp via a collection of library data.
The second variant of the attack requires that a Whatsapp user be exposed to the poisoned GIF via other channels. For instance, if the poisoned file was sent directly to the user or inserted into a user’s gallery.
In any case, the company moved swiftly to patch the issue and if you’re not running a version below 2.19.244, you’re fine. If you are running an older version than that, you should update immediately, and better yet, just set Whatsapp to receive automatic updates so issues like these won’t plague you in the future.
Two things should be stressed here: First, this issue only seems to affect Whatsapp for Android. Second, so far, there’s no evidence that the attack has been seen used in the wild. Nonetheless, it pays to upgrade right away because now that the details of the attack are publicly available, it’s just a matter of time.