Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even compromise encrypted communications.
The flaws take aim at devices running Android versions up to and including Android 9 by carrying out what’s known as a “man-in-the-disk” attack that makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage.
“The two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions,” researchers from Census Labs said today.
“With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise protocol keys used for end-to-end encryption in user communications.”
In particular, the flaw (CVE-2021-24027) leverages Chrome’s support for content providers in Android (via the “content://” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), thereby allowing an attacker to send a specially-crafted HTML file to a victim over WhatsApp, which, when opened on the browser, executes the code contained in HTML file.
Worse, the malicious code can be used to access any resource stored in the unprotected external storage area, including those from WhatsApp, which was found to save TLS session key details in a sub-directory, among others, and as a result, expose sensitive information to any app that’s provisioned to read or write from the external storage.
“All an attacker has to do is lure the victim into opening an HTML document attachment,” Census Labs researcher Chariton Karamitas said. “WhatsApp will render this attachment in Chrome, over a content provider, and the attacker’s Javascript code will be able to steal the stored TLS session keys.”
Armed with the keys, a bad actor can then stage a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs (used for end-to-end encryption) gathered by the app for diagnostic purposes by deliberately triggering an out of memory error remotely on the victim’s device.
When this error is thrown, WhatsApp’s debugging mechanism kicks in and uploads the encoded key pairs along with the application logs, system information, and other memory content to a dedicated crash logs server (“crashlogs.whatsapp.net”). But it’s worth noting that this only occurs on devices that run a new version of the app, and “less than 10 days have elapsed since the current version’s release date.”
To defend against such attacks, Google introduced a feature called “scoped storage” in Android 10, which gives each app an isolated storage area on the device in a way that no other app installed on the same device can directly access data saved by other apps.
The cybersecurity firm said it has no knowledge on whether the attacks have been exploited in the wild, although in the past, flaws in WhatsApp have been abused to inject spyware onto target devices and snoop on journalists and human rights activists.
WhatsApp users are recommended to update to version 2.21.4.18 to mitigate the risk associated with the flaws. We have reached out to the company for comment, and we will update the story if we hear back.
“There are many more subsystems in WhatsApp which might be of great interest to an attacker,” Karamitas said. “The communication with upstream servers and the E2E encryption implementation are two notable ones. Additionally, despite the fact that this work focused on WhatsApp, other popular Android messaging applications (e.g. Viber, Facebook Messenger), or even mobile games might be unwillingly exposing a similar attack surface to remote adversaries.”