Is Your GIF Safe? WhatsApp Feature Under Scanner After Hacking Scare

The vulnerabilities of Facebook-owned Whatsapp are out once again, but this time through something as simple as a GIF. A cybersecurity researcher has pointed out that hackers can gain access into the device through malicious GIFs due to a “double-free” bug.

The double-free bug is an error, which is a type of memory corruption, which can crash the app and even let hackers gain access to devices through a malicious GIF. The researcher, identified by the name Awakened, in a blogpost clarified that he reached out to Facebook, which now claims to have fixed the bug in WhatsApps version 2.19.244.

The researcher has also demonstrated the process through a demo video. He pointed out that attackers can send GIFs to users through any platform, even as documents. The device can be hacked as soon as the user downloads the link.

“Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE [Remote code execution] exploit,” Awakened added.

In August 2019, the popular messaging app made headlines for another bug that allowed the hacker to alter messages. Israel-based security research firm Check Point Software pointed out three ways to manipulate both public and personal messages.

According to Check Point’s research, hackers could manipulate text messages using ‘quote’ feature, which allowed cybercriminals to:

• Change the name and appearance of the sender on WhatsApp.
•  Change a reply received from another contact, while a third method let hackers
• Send private messages disguised as a public message to all individuals in a WhatsApp group chat. This means the reply becomes visible to everyone in the conversation, even though it was intended to be private.

Check Point claimed that it reported the vulnerabilities to WhatsApp, but only the last of the three flaws have been addressed and fixed. The security research firm is still working with WhatsApp to get the other vulnerabilities blocked. However, it’s proving challenging because of WhatsApp’s encryption.

With a good user interface and less data requirement, the app has successfully managed to gain 1.5 Bn monthly active users, including 400 Mn in India. With two bugs coming out within a span of two months, the Indian users’ privacy has raised come under the radar.

However, a report released by AudienceNet said that around 80%, out of a sample size of 1,520 urban Indians aged 18 years and above, trusted WhatsApp with their data, despite its role in mob-lynching and spreading of fake news cases in India.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.