WhatsApp technical team recently addressed 2
security vulnerabilities in WhatsApp for Android. As per security researchers
Remote attackers could have exploited these vulnerabilities to execute malicious
code on a target device.
The flaws allow attackers to execute
“man-in-the-disk” attacks that is possible when mobile apps use External
Storage that is shared across all the applications. Attacker can manipulate certain
data being exchanged between mobile app and the external storage
Census Labs
researchers reported one of the two issues(CVE-2021-24027)
and said “We will show how the two aforementioned WhatsApp vulnerabilities
would have made it possible for attackers to remotely collect TLS cryptographic
material for TLS 1.3 and TLS 1.2 sessions.”
“With the TLS
secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can
lead to the compromise of WhatsApp communications, to remote code execution on
the victim device and to the extraction of Noise protocol keys used for
end-to-end encryption in user communications.”
The CVE-2021-24027 vulnerability
, in prior to WhatsApp for Android v2.21.4.18 and
WhatsApp Business for Android v2.21.4.18,
leverages Chrome's support in Android and this can allow an attacker
with access to the device’s external storage to read cached TLS material.
An attacker can send a specially-crafted HTML file
to a victim over WhatsApp, which once opened in
the victim’s browser, executes the attacker’s code contained in the HTML file.
"All
an attacker has to do is lure the victim into opening an HTML document
attachment. WhatsApp will render this attachment in Chrome, over a content
provider, and the attacker's Javascript code will be able to steal the stored
TLS session keys." Census Labs researcher Chariton Karamitas said.
“WhatsApp
comes with a debugging mechanism that allows its development team to catch
fatal errors happening in the wild during the first few days of a release. More
specifically, if an OutOfMemoryError exception is thrown, a custom exception
handler is invoked that collects System Information, WhatsApp Application Logs,
as well as a dump of the Application Heap (collected using android.os.Debug::dumpHprofData).
These are uploaded to crashlogs.whatsapp.net.” As per report.
The attackers could purposefully throw the exception
to force the data being sent to the server to intercept it.
Google has already addressed this vulnerability by
introducing the “scoped storage” model in Android 10 that allows each app to access only their own app-specific
cache files.
Remediation
The CVE-2021-24027 vulnerabilities were addressed by
WhatsApp with the release of version 2.21.4.18.
WhatsApp users are recommended to use
version 2.21.4.18 to rule out the risk associated with the vulnerability.
When reached for a response, the company confirmed “The "keys" that
are used to protect people's messages are not being uploaded to the servers and
that the crash log information does not allow it to access the message contents.”