Skip to main content
  1. Home
  2. Mobile
  3. News

Your WhatsApp chats were vulnerable to attacks for months due to GIF exploit

Shubham Agarwal
By

WhatsApp has patched a critical security loophole that left your private messages and media vulnerable to breaches. The bug allowed attackers to remotely access your phone’s storage and all the files it hosts including your WhatsApp texts, pictures, videos, GIFs, and audio messages.

In order to exploit the bug, a hacker simply had to send you a malicious payload masquerading as a GIF through any non-Facebook channels or as a document through WhatsApp and Messenger. That is because, on the latter platforms, Facebook’s compression distorts the malware’s content.

Recommended Videos

The vulnerability existed inside a library that WhatsApp (and a whole lot of other apps) uses to preview a GIF. The library’s functions kick in whenever you tap the attach-media button and WhatsApp loads a grid of thumbnails. Therefore, you don’t even need to open the GIF to trigger the fraudulent code. It automatically activates when WhatsApp attempts to show its thumbnail even when you’re looking for another picture, video, or GIF.

Related

Spotted originally by a Vietnamese security researcher, Pham Hong Nhat, the loophole remained unpatched for about three months.

Hong Nhat reported it to Facebook back in late July and the social media giant company rolled out the fix through WhatsApp version 2.19.244 in September. So in case you haven’t updated WhatsApp in a while, we recommend you go ahead and do it right away from the Play Store.

The issue only affected Android phones running on Android 8.1 or above and none of the iOS versions. It’s bewildering as to why it exclusively impacted the recent Android builds that, in theory, have better privacy frameworks in place. Ironically, Pham Hong Nhat says the older versions employ an outdated code that prevented the payload from being able to execute.

Fortunately, the developer behind the library in question — Android GIF Drawable — has released a patch as well. Hence, the vulnerability most likely won’t expose your data on the rest of the apps which use it for parsing GIFs.

Earlier last month, another WhatsApp vulnerability was discovered by Google’s security research team. The bug enabled attackers to take over iOS users’ WhatsApp chats by sending them malicious links.

Editors' Recommendations

Topics
Shubham Agarwal
Shubham Agarwal
Journalist
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
What is WhatsApp? How to use the app, tips, tricks, and more
WhatsApp logo on a phone.

There’s been no shortage of instant messaging apps over the past decade, as the rise of advanced smartphone platforms has created the need for more sophisticated ways to communicate than traditional SMS text messages allowed for.

In fact, the Apple App Store and Google Play Store are both littered with apps that promised to be the next big thing in mobile communications. Yet, many of those fell by the wayside as they failed to achieve the critical mass of users needed to make them useful. After all, apps designed for communicating with others don’t do you much good unless enough folks are using them. Luckily, WhatsApp made our list of the best iPhone Apps and our infamous list of the best Android apps out there.

Read more
You’ll soon be able to use WhatsApp on more than one phone
Two phones on a table next to each other. One is showing the WhatsApp logo, and the other is running the WhatsApp application.

WhatsApp, one of the most used messaging services in Europe and parts of Asia, is about to close a major flaw. As spotted by the sleuths over on WABetainfo, the company is planning an update that will allow the use of a secondary device -- including another phone or tablet. Currently, WhatsApp only allows phone users to link their account via its web or desktop clients.

The new feature is dubbed companion mode. Once it rolls out, you'll have a workflow that's quite similar to setting up WhatsApp Web or WhatsApp on the desktop. Rather than entering a number, you'll be able to scan a QR code with your main phone to log in to your existing WhatsApp account.

Read more
WhatsApp is copying two of Zoom’s best video-calling features
Call Links by WhatsApp

WhatsApp is taking a couple of pages out of Zoom's playbook. The Meta-owned company is rolling out the Call Links feature, making it easier for people to join audio and video calls with just one tap on the phone screen.

Mark Zuckerberg announced the new feature in a Facebook post on Monday morning. Starting this week, WhatsApp users will be able to tap the Call Links option within the Calls tab and create a link for audio or video calls to send to their friends and family, who will then tap on the link and join the call from there.

Read more