WhatsApp had two security vulnerabilities in its messaging app for Android which when exploited could have allowed attackers to execute malicious code remotely on the device and even exfiltrate sensitive information.
The flaw affects devices running Android versions up to and including Android 9 by conducting a “man-in-the-disk” attack making it possible for attackers to compromise an app by manipulating certain data being exchanged between it and the external storage.
According to the researchers from Census Labs, the two vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.
They said that with the TLS secrets at hand, they would demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise protocol keys used for end-to-end encryption in user communications.
The vulnerability (CVE-2021-24027) leverages Chrome’s support for content providers in Android (via the “content://” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), thereby allowing an attacker to send a specially-crafted HTML file to a victim over WhatsApp, which, when opened on the browser, executes the code contained in the HTML file.
The malicious code can be used to access any resource stored in the unprotected external storage area, including those from WhatsApp, which was found to save TLS session key details in a sub-directory, among others, and as a result, expose sensitive information to any app that’s provisioned to read or write from the external storage.
Having the keys, the attacker can then conduct a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs — which are used to operate an encrypted channel between the client and server for transport layer security – collected by the app for diagnostic purposes by deliberately triggering an out of memory error remotely on the victim’s device.
When this error is thrown, WhatsApp’s debugging mechanism uploads the encoded key pairs along with the application logs, system information, and other memory content to a dedicated crash logs server (“crashlogs.whatsapp.net”). This happens only in devices that has a new version of the app.
The cybersecurity firm does not know whether the attacks have been exploited in the wild. However, all WhatsApp users are recommended to update to version 126.96.36.199 to mitigate the risk associated with the flaws.