WhatsApp recently patched two security flaws in its messaging app that could have been used to remotely execute malicious code and even steal data.
News Highlights
The exploits target Android devices up to and including Android 9 by performing a “man-in-the-middle” attack, which allows attackers to compromise an app by manipulating data being shared between it and the external storage device
The cybersecurity company has no way of knowing whether the attacks have been used in the open
To minimize the risk associated with the bugs, all WhatsApp users are advised to upgrade to version 2.21.4.18.
The exploits target Android devices up to and including Android 9 by performing a “man-in-the-middle” attack, which allows attackers to compromise an app by manipulating data being shared between it and the external storage device.
The two vulnerabilities, according to Census Labs researchers, would have enabled attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.
They claimed they’d use the TLS secrets to show how a man-in-the-middle (MitM) attack would lead to WhatsApp chats being compromised, remote code execution on the victim device, and the extraction of Noise protocol keys used for end-to-end encryption in user’s chats.
Also read: WhatsApp’s new status flaw allows stalkers to track women
The vulnerability (CVE-2021-24027) takes advantage of Chrome’s support for content providers in Android (through the “content:/” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), allowing an attacker to send a specially-crafted HTML file to a victim via WhatsApp, which, when opened in the browser, executes the HTML file’s code.
The malicious code can access any resource stored in the unprotected external storage area, including those from WhatsApp, which was discovered to save TLS session key details in a sub-directory, among other things, and as a result, reveal sensitive information to any app that is provisioned to read or write from the external storage area.
The attacker just needs to get the target to open an HTML document attachment that WhatsApp will render in Chrome over a content provider, and the attacker’s JavaScript code will be able to steal the stored TLS session keys.
With the keys in hand, the attacker may launch a man-in-the-middle attack to gain remote code execution or even exfiltrate the Noise protocol key pairs — which are used to run an encrypted channel between the client and server for transport layer protection — obtained by the app for diagnostic purposes by causing an out of memory error on the victim’s computer.
When this error occurs, WhatsApp’s debugging mechanism sends the encoded key pairs, as well as application logs, device information, and other memory data, to a dedicated crash logs server (“crash logs.whatsapp.net”). This only happens on devices that have the latest version of the app installed.
The cybersecurity company has no way of knowing whether the attacks have been used in the open. To minimize the risk associated with the bugs, all WhatsApp users are advised to upgrade to version 2.21.4.18.
You might also like: LinkedIn hacker sells 827 million LinkedIn profiles for $7000