Skip to main content
  1. Home
  2. Mobile
  3. News

Your WhatsApp chats were vulnerable to attacks for months due to GIF exploit

By

WhatsApp has patched a critical security loophole that left your private messages and media vulnerable to breaches. The bug allowed attackers to remotely access your phone’s storage and all the files it hosts including your WhatsApp texts, pictures, videos, GIFs, and audio messages.

In order to exploit the bug, a hacker simply had to send you a malicious payload masquerading as a GIF through any non-Facebook channels or as a document through WhatsApp and Messenger. That is because, on the latter platforms, Facebook’s compression distorts the malware’s content.

Recommended Videos

The vulnerability existed inside a library that WhatsApp (and a whole lot of other apps) uses to preview a GIF. The library’s functions kick in whenever you tap the attach-media button and WhatsApp loads a grid of thumbnails. Therefore, you don’t even need to open the GIF to trigger the fraudulent code. It automatically activates when WhatsApp attempts to show its thumbnail even when you’re looking for another picture, video, or GIF.

Spotted originally by a Vietnamese security researcher, Pham Hong Nhat, the loophole remained unpatched for about three months.

Hong Nhat reported it to Facebook back in late July and the social media giant company rolled out the fix through WhatsApp version 2.19.244 in September. So in case you haven’t updated WhatsApp in a while, we recommend you go ahead and do it right away from the Play Store.

The issue only affected Android phones running on Android 8.1 or above and none of the iOS versions. It’s bewildering as to why it exclusively impacted the recent Android builds that, in theory, have better privacy frameworks in place. Ironically, Pham Hong Nhat says the older versions employ an outdated code that prevented the payload from being able to execute.

Fortunately, the developer behind the library in question — Android GIF Drawable — has released a patch as well. Hence, the vulnerability most likely won’t expose your data on the rest of the apps which use it for parsing GIFs.

Earlier last month, another WhatsApp vulnerability was discovered by Google’s security research team. The bug enabled attackers to take over iOS users’ WhatsApp chats by sending them malicious links.

Editors' Recommendations

Topics
Shubham Agarwal
Shubham Agarwal
Journalist
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
WhatsApp now lets you add short video messages to chats
WhatsApp logo on a phone.

You can now send short video messages in a WhatsApp chat, Meta announced on Thursday.

A video message can last for up to 60 seconds long and is protected with end-to-end encryption.

Read more
WhatsApp finally lets you edit sent messages. Here’s how to do it
WhatsApp logo on a phone.

WhatsApp has announced a much-requested edit feature that lets you alter a message within 15 minutes of sending it.

“From correcting a simple misspelling to adding extra context to a message, we’re excited to bring you more control over your chats,” Meta-owned WhatsApp said in a blog post introducing the handy feature.

Read more
What is WhatsApp? How to use the app, tips, tricks, and more
WhatsApp logo on a phone.

There’s been no shortage of instant messaging apps over the past decade, as the rise of advanced smartphone platforms has created the need for more sophisticated ways to communicate than traditional SMS text messages allowed for.

In fact, the Apple App Store and Google Play Store are both littered with apps that promised to be the next big thing in mobile communications. Yet, many of those fell by the wayside as they failed to achieve the critical mass of users needed to make them useful. After all, apps designed for communicating with others don’t do you much good unless enough folks are using them. Luckily, WhatsApp made our list of the best iPhone Apps and our infamous list of the best Android apps out there.

Read more