Fair warning: It’s time for users to update encrypted messaging service WhatsApp.
A security researcher discovered a vulnerability in the Facebook-owned app that could allow attackers to obtain access to a device and steal data by sending a malicious GIF file, The Next Web reported on Wednesday. The issue is a double-free vulnerability, i.e. a memory corruption issue that can crash apps or create an opening for a hacker to compromise the security of the affected device. According to the technical write-up, if an attacker sends a WhatsApp user such a modified GIF, the next time that users opens their WhatsApp photo gallery, the bug will strike. It seems that users running certain versions of the Android mobile OS are most likely to be impacted by the bug.
“The exploit works well until WhatsApp version 2.19.230,” the developer, Awakened, wrote. “The vulnerability is official patched in WhatsApp version 2.19.244.”
“The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below,” Awakened added. “In the older Android versions, double-free could still be triggered. However, because of the malloc calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.”
WhatsApp told The Next Web it had no reason to suspect any users were impacted and that it had resolved the issue in a patch.
“It was reported and quickly addressed last month,” a WhatsApp spokesperson told the site. “We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.”
WhatsApp has had other security headaches in the past. In October 2018, a researcher with Google’s Project Zero bug hunting team released details of a vulnerability that could allow attackers to seize control of an account just by placing a video call. More recently, it was reported that a major bug with WhatsApp discovered by Israeli cyber-intelligence firm NSO Group allowed it use the app to spread its powerful Pegasus malware; Pegasus reportedly was used by Saudi Arabia to conduct state espionage on dissidents, including those in contact with journalist in exile Jamal Khashoggi. Khashoggi was later murdered by Saudi agents in the country’s consulate in Istanbul.