How a GIF could let a hacker view your WhatsApp messages

How a GIF could let a hacker view your WhatsApp messages

If you think you get funny looks when you tell folks you don’t have a Facebook account, just wait until you see the baffled reaction you receive from friends and family when you break it to them that you’re not on WhatsApp either.

All of which means that I don’t have to worry about the latest vulnerability that was found in the extraordinarily-popular messaging service. A security hole could have allowed hackers to snoop upon your chat history just by tricking you into opening a boobytrapped GIF image.

The flaw, discovered by a Singapore-based researcher called Awakened, is said to work on Android 8.1 and 9.0 but only causes crashes on earlier versions of the operating system.

Sign up to our free newsletter.
Security news, advice, and tips.

According to Awakened, who responsibly disclosed the flaw to Facebook-owned WhatsApp, the vulnerability was in android-gif-drawable, an open-source library used by WhatsApp to generate previews of GIF images.

According to WhatsApp (although how would they know?) the security vulnerability is not thought to have been used maliciously against any users.

WhatsApp version 2.19.244 has patched the vulnerability, and users are advised to update to the latest version to protect themselves from the flaw. Alternatively you could choose to use a different messaging service, and convince your friends and contacts to do the same.

Good luck with that – I’ve been trying for years to get my non-security industry pals to dump WhatsApp and not had much success. Maybe they quite like not being able to contact me… :)

Full details of the flaw, going into an impressive level of technical detail, can be found on Awakened’s blog.

It’s not clear if Awakened received a bug bounty for his discovery and responsible disclosure, but it seems to me that a flaw like this could have earned some big bucks from intelligence agencies and hacking gangs who had an interest in spying upon the private communications of individuals of interest.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “How a GIF could let a hacker view your WhatsApp messages”

  1. coyote

    How would they know? They hope. Even if it's false.

    Yes. And spying on children included. Something you'd like to believe spies wouldn't do. Alas that is too much to hope for.

  2. Alex

    Is version 2.19.274 ok?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.