Skip to main content
  1. Home
  2. Mobile
  3. News

Your WhatsApp chats were vulnerable to attacks for months due to GIF exploit

Shubham Agarwal
By

WhatsApp has patched a critical security loophole that left your private messages and media vulnerable to breaches. The bug allowed attackers to remotely access your phone’s storage and all the files it hosts including your WhatsApp texts, pictures, videos, GIFs, and audio messages.

In order to exploit the bug, a hacker simply had to send you a malicious payload masquerading as a GIF through any non-Facebook channels or as a document through WhatsApp and Messenger. That is because, on the latter platforms, Facebook’s compression distorts the malware’s content.

The vulnerability existed inside a library that WhatsApp (and a whole lot of other apps) uses to preview a GIF. The library’s functions kick in whenever you tap the attach-media button and WhatsApp loads a grid of thumbnails. Therefore, you don’t even need to open the GIF to trigger the fraudulent code. It automatically activates when WhatsApp attempts to show its thumbnail even when you’re looking for another picture, video, or GIF.

Spotted originally by a Vietnamese security researcher, Pham Hong Nhat, the loophole remained unpatched for about three months.

Hong Nhat reported it to Facebook back in late July and the social media giant company rolled out the fix through WhatsApp version 2.19.244 in September. So in case you haven’t updated WhatsApp in a while, we recommend you go ahead and do it right away from the Play Store.

The issue only affected Android phones running on Android 8.1 or above and none of the iOS versions. It’s bewildering as to why it exclusively impacted the recent Android builds that, in theory, have better privacy frameworks in place. Ironically, Pham Hong Nhat says the older versions employ an outdated code that prevented the payload from being able to execute.

Fortunately, the developer behind the library in question — Android GIF Drawable — has released a patch as well. Hence, the vulnerability most likely won’t expose your data on the rest of the apps which use it for parsing GIFs.

Earlier last month, another WhatsApp vulnerability was discovered by Google’s security research team. The bug enabled attackers to take over iOS users’ WhatsApp chats by sending them malicious links.

Editors' Recommendations

Video-editing app LumaFusion to get a Galaxy Tab S8 launch
A tablet featuring the LumaFusion video editing app.
These 80+ apps could be running adware on your iPhone or Android device
Illustration of an infected iPhone
Can’t stand using Instagram in 2022? This app fixes everything you hate about it
The OG App running on an iPhone.
Google wants you to know Android apps aren’t just for phones anymore
Person holding Samsung Galaxy smartphone showing Google Play Store.
The best ad-blocking apps for Android in 2022
ad blocker feat image
Best smartwatch deals for October 2022
The best iPhone apps to download in October 2022
iOS 14 App Library
Best Kindle deals and sales for October 2022
Reading a Kindle Paperwhite in van
The best Android apps for October 2022
best Android apps
Apple Watch Series 8 temperature sensor: what it does and how to use it
The back of an Apple Watch Series 8.
The best iPhone games to play in October 2022: Lord of the Rings and more
iPhone XS Max
The best Android games available right now (October 2022)
android games
Best cheap Fitbit deals for October 2022
fitbit versa review version 1522045407 full 19