How a GIF could let a hacker view your WhatsApp messages

Graham Cluley

How a GIF could let a hacker view your WhatsApp messages

How a GIF could let a hacker view your WhatsApp messages

If you think you get funny looks when you tell folks you don’t have a Facebook account, just wait until you see the baffled reaction you receive from friends and family when you break it to them that you’re not on WhatsApp either.

All of which means that I don’t have to worry about the latest vulnerability that was found in the extraordinarily-popular messaging service. A security hole could have allowed hackers to snoop upon your chat history just by tricking you into opening a boobytrapped GIF image.

The flaw, discovered by a Singapore-based researcher called Awakened, is said to work on Android 8.1 and 9.0 but only causes crashes on earlier versions of the operating system.

According to Awakened, who responsibly disclosed the flaw to Facebook-owned WhatsApp, the vulnerability was in android-gif-drawable, an open-source library used by WhatsApp to generate previews of GIF images.

According to WhatsApp (although how would they know?) the security vulnerability is not thought to have been used maliciously against any users.

WhatsApp version 2.19.244 has patched the vulnerability, and users are advised to update to the latest version to protect themselves from the flaw. Alternatively you could choose to use a different messaging service, and convince your friends and contacts to do the same.

Good luck with that – I’ve been trying for years to get my non-security industry pals to dump WhatsApp and not had much success. Maybe they quite like not being able to contact me… :)

Full details of the flaw, going into an impressive level of technical detail, can be found on Awakened’s blog.

It’s not clear if Awakened received a bug bounty for his discovery and responsible disclosure, but it seems to me that a flaw like this could have earned some big bucks from intelligence agencies and hacking gangs who had an interest in spying upon the private communications of individuals of interest.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “How a GIF could let a hacker view your WhatsApp messages”

  1. How would they know? They hope. Even if it's false.

    Yes. And spying on children included. Something you'd like to believe spies wouldn't do. Alas that is too much to hope for.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.