New WhatsApp Vulnerabilities could have allowed Attackers to Hack Android Mobile Remotely

 

WhatsApp technical team recently addressed 2 security vulnerabilities in WhatsApp for Android. As per security researchers Remote attackers could have exploited these vulnerabilities to execute malicious code on a target device.

The flaws allow attackers to execute “man-in-the-disk” attacks that is possible when mobile apps use External Storage that is shared across all the applications. Attacker can manipulate certain data being exchanged between mobile app and the external storage

Census Labs researchers reported one of the two issues(CVE-2021-24027) and said “We will show how the two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.”

“With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise protocol keys used for end-to-end encryption in user communications.”

The CVE-2021-24027 vulnerability , in prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18, leverages Chrome's support in Android and this can allow an attacker with access to the device’s external storage to read cached TLS material. An attacker can send a specially-crafted HTML file to a victim over WhatsApp, which once opened in the victim’s browser, executes the attacker’s code contained in the HTML file.

"All an attacker has to do is lure the victim into opening an HTML document attachment. WhatsApp will render this attachment in Chrome, over a content provider, and the attacker's Javascript code will be able to steal the stored TLS session keys." Census Labs researcher Chariton Karamitas said.

“WhatsApp comes with a debugging mechanism that allows its development team to catch fatal errors happening in the wild during the first few days of a release. More specifically, if an OutOfMemoryError exception is thrown, a custom exception handler is invoked that collects System Information, WhatsApp Application Logs, as well as a dump of the Application Heap (collected using android.os.Debug::dumpHprofData). These are uploaded to crashlogs.whatsapp.net.”  As per report.

The attackers could purposefully throw the exception to force the data being sent to the server to intercept it.

Google has already addressed this vulnerability by introducing the “scoped storage” model in Android 10 that allows each app to access only their own app-specific cache files.

Remediation

The CVE-2021-24027 vulnerabilities were addressed by WhatsApp with the release of version 2.21.4.18.

WhatsApp users are recommended to use version 2.21.4.18 to rule out the risk associated with the vulnerability. When reached for a response, the company confirmed “The "keys" that are used to protect people's messages are not being uploaded to the servers and that the crash log information does not allow it to access the message contents.”