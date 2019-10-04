Facebook-owned instant messaging platform WhatsApp has been affected by a security bug that allows attackers to access the user's device and subsequently the data stored on it via a malicious GIF file.

The vulnerability stemming from a double-free bug was discovered by Awakened, a technologist and an information security enthusiast, in WhatsApp for the Android platform. According to the researcher's post on GitHub, the exploit works well until WhatsApp version 2.19.230 and the vulnerability is officially patched in WhatsApp version 2.19.244.

The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below versions, the post said.

How does it work?

As explained by Awakened, the hacker sends a corrupted GIF file to the user via any channel, in the form of a document, message or anything else. Since WhatsApp shows previews of every media, including the GIF file received, so when the user opens WhatsApp Gallery to send a media file to any of his/her friends in the contact list, the double-free bug gets automatically triggered.

Furthermore, the researcher also advised users to update their WhatsApp to the latest version (2.19.244 or above) to stay safe from this bug.

In response to the vulnerability highlighted by the security researcher, WhatsApp told The Next Web: "The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could, in theory, occur when the user takes action to send a GIF. The issue would impact their own device." a WhatsApp person told TNW. "It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course, we are always working to provide the latest security features to our users."