WhatsApp has a vulnerability that leverages malicious GIFS to compromise user chat sessions, files and messages. The security flaw, referred to as CVE-2019-11932, is a double-free bug that exists in WhatsApp for Android in all versions below 2.19.244.
The vulnerability was discovered by Awakened, a technology and information security enthusiast. You can read more about their discovery here. Awakened informed Facebook of the vulnerability and it has now been patched.
According to Awakened, the GIF is loaded with malicious software that can be used to attack WhatsApp users. Attackers send the GIFs to an unsuspecting user who once opens it, triggers the attack. Cybercriminals will then have access to WhatsApp messages, files, photos, videos and more content on your device.
Synopsys reached out to CyberSecurity Asean to share their views and explain how such attacks can happen. According to Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, the vulnerability shows how software depends on a complex interaction of components.
The vulnerability stems from an image handling component, which depends on unusual behavior in a memory allocator. “Although this story is about WhatsApp, other applications are susceptible to such memory allocator vulnerabilities” Jonathan claimed. Tracking the software supply chain, as part of a secure software development lifecycle, will enable organisations to understand the interdependencies of software and minimise risk.
He explained the vulnerability also shows how software can misbehave when presented with unexpected or malformed input. The memory allocator showed peculiar, exploitable behavior when asked to allocate 0 bytes of memory. Negative testing and fuzz testing during development of the memory allocator could have surfaced this behaviour, allowing it to be fixed well ahead of release.
Jonathan states that such occurrence highlights the difficulty of describing software vulnerabilities accurately. “This is not a vulnerability where an attacker can send a special GIF and take over your phone. An attacker would need first to exploit another vulnerability on your phone to gain insight into the memory layout; only then could a crafted GIF be sent that would result in system compromise, and even then, you would need to open the WhatsApp gallery before the exploit would be triggered.”
From a user perspective, Jonathan pointed out the most important takeaway is being vigilant about updates. Vulnerabilities happen all the time, so the best a user can do is keep software current so that known vulnerabilities are addressed.
“This vulnerability in WhatsApp is not easy to exploit — it’s not like the old Ping of Death or the more recent bug where a malformed message would cause an iPhone to fail. This vulnerability would require that the attacker already had another toehold on the target’s device; only then could the attacker be able to deliver a crafted GIF that would take control.”
Jonathan added that once the attacker gained control of the target phone, he or she would be able to do pretty much anything the victim would normally be able to do on the phone.
“The most alarming aspect of this vulnerability is that it is actually a vulnerability in a software component, a media library used by WhatsApp. How many other apps use the same library? How many other apps might be vulnerable?”
Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group said that while Facebook has released a patch for the vulnerability, there remains a risk for the broader Android community. When Facebook fixed the vulnerability in WhatsApp they also contributed their changes to the Open Source library `android-gif-drawable`. This popular library is used to render GIF images on Android devices and is embedded in a number of other libraries and frameworks.
Tim explained that development teams should verify whether they have a version prior to 1.2.18 in the bill-of-materials for their application and update at their earliest opportunity. This is an example why an up-to-date and accurate bill-of-materials mapped to security information is a crucial part of security governance for any software vendor.