WhatsApp recently patched two security flaws in its messaging app that could have been used to remotely execute malicious code and even steal data.
The exploits target Android devices up to and including Android 9 by performing a “man-in-the-middle” attack, which allows attackers to compromise an app by manipulating data being shared between it and the external storage device
The cybersecurity company has no way of knowing whether the attacks have been used in the open
To minimize the risk associated with the bugs, all WhatsApp users are advised to upgrade to version 188.8.131.52.
The exploits target Android devices up to and including Android 9 by performing a “man-in-the-middle” attack, which allows attackers to compromise an app by manipulating data being shared between it and the external storage device.
The two vulnerabilities, according to Census Labs researchers, would have enabled attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.
They claimed they’d use the TLS secrets to show how a man-in-the-middle (MitM) attack would lead to WhatsApp chats being compromised, remote code execution on the victim device, and the extraction of Noise protocol keys used for end-to-end encryption in user’s chats.
The vulnerability (CVE-2021-24027) takes advantage of Chrome’s support for content providers in Android (through the “content:/” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), allowing an attacker to send a specially-crafted HTML file to a victim via WhatsApp, which, when opened in the browser, executes the HTML file’s code.
The malicious code can access any resource stored in the unprotected external storage area, including those from WhatsApp, which was discovered to save TLS session key details in a sub-directory, among other things, and as a result, reveal sensitive information to any app that is provisioned to read or write from the external storage area.
With the keys in hand, the attacker may launch a man-in-the-middle attack to gain remote code execution or even exfiltrate the Noise protocol key pairs — which are used to run an encrypted channel between the client and server for transport layer protection — obtained by the app for diagnostic purposes by causing an out of memory error on the victim’s computer.
When this error occurs, WhatsApp’s debugging mechanism sends the encoded key pairs, as well as application logs, device information, and other memory data, to a dedicated crash logs server (“crash logs.whatsapp.net”). This only happens on devices that have the latest version of the app installed.
The cybersecurity company has no way of knowing whether the attacks have been used in the open. To minimize the risk associated with the bugs, all WhatsApp users are advised to upgrade to version 184.108.40.206.
You might also like: LinkedIn hacker sells 827 million LinkedIn profiles for $7000