If you think you get funny looks when you tell folks you don’t have a Facebook account, just wait until you see the baffled reaction you receive from friends and family when you break it to them that you’re not on WhatsApp either.
All of which means that I don’t have to worry about the latest vulnerability that was found in the extraordinarily-popular messaging service. A security hole could have allowed hackers to snoop upon your chat history just by tricking you into opening a boobytrapped GIF image.
The flaw, discovered by a Singapore-based researcher called Awakened, is said to work on Android 8.1 and 9.0 but only causes crashes on earlier versions of the operating system.
According to Awakened, who responsibly disclosed the flaw to Facebook-owned WhatsApp, the vulnerability was in android-gif-drawable, an open-source library used by WhatsApp to generate previews of GIF images.
According to WhatsApp (although how would they know?) the security vulnerability is not thought to have been used maliciously against any users.
WhatsApp version 2.19.244 has patched the vulnerability, and users are advised to update to the latest version to protect themselves from the flaw. Alternatively you could choose to use a different messaging service, and convince your friends and contacts to do the same.
Good luck with that – I’ve been trying for years to get my non-security industry pals to dump WhatsApp and not had much success. Maybe they quite like not being able to contact me… :)
Full details of the flaw, going into an impressive level of technical detail, can be found on Awakened’s blog.
It’s not clear if Awakened received a bug bounty for his discovery and responsible disclosure, but it seems to me that a flaw like this could have earned some big bucks from intelligence agencies and hacking gangs who had an interest in spying upon the private communications of individuals of interest.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “How a GIF could let a hacker view your WhatsApp messages”
How would they know? They hope. Even if it's false.
Yes. And spying on children included. Something you'd like to believe spies wouldn't do. Alas that is too much to hope for.
Is version 2.19.274 ok?