Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even exfiltrate sensitive information.
The flaws take aim at devices running Android versions up to and including Android 9 by carrying out what’s known as a “man-in-the-disk” attack that makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage.
“The two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions,” researchers from Census Labs said today.
“With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise protocol keys used for end-to-end encryption in user communications.”
In particular, the flaw (CVE-2021-24027) leverages Chrome’s support for content providers in Android (via the “content://” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), thereby allowing an attacker to send a specially-crafted HTML file to a victim over WhatsApp, which, when opened on the browser, executes the code contained in the HTML file.
Worse, the malicious code can be used to access any resource stored in the unprotected external storage area, including those from WhatsApp, which was found to save TLS session key details in a sub-directory, among others, and as a result, expose sensitive information to any app that’s provisioned to read or write from the external storage.
Armed with the keys, a bad actor can then stage a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs — which are used to operate an encrypted channel between the client and server for transport layer security (and not the messages themselves, which are encrypted using the Signal protocol) — gathered by the app for diagnostic purposes by deliberately triggering an out of memory error remotely on the victim’s device
When this error is thrown, WhatsApp’s debugging mechanism kicks in and uploads the encoded key pairs along with the application logs, system information, and other memory content to a dedicated crash logs server (“crashlogs.whatsapp.net”). But it’s worth noting that this only occurs on devices that run a new version of the app, and “less than 10 days have elapsed since the current version’s release date.”
Although the debugging process is designed to be invoked to catch fatal errors in the app, the idea behind the MitM exploit is to programmatically cause an exception that will force the data collection and set off the upload, only to intercept the connection and “disclose all the sensitive information that was intended to be sent to WhatsApp’s internal infrastructure.”
To defend against such attacks, Google introduced a feature called “scoped storage” in Android 10, which gives each app an isolated storage area on the device in a way that no other app installed on the same device can directly access data saved by other apps.
The cybersecurity firm said it has no knowledge on whether the attacks have been exploited in the wild, although in the past, flaws in WhatsApp have been abused to inject spyware onto target devices and snoop on journalists and human rights activists.
WhatsApp users are recommended to update to version 18.104.22.168 to mitigate the risk associated with the flaws. When reached for a response, the company reiterated that the “keys” that are used to protect people’s messages are not being uploaded to the servers and that the crash log information does not allow it to access the message contents.
“We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages,” a spokesperson told The Hacker News. “We appreciate the information these researchers shared with us, which has already helped us make improvements to WhatsApp in the event an Android user visited a malicious website on Chrome. To be clear: end-to-end encryption continues to work as intended and people’s messages remain safe and secure.”
“There are many more subsystems in WhatsApp which might be of great interest to an attacker,” Karamitas said. “The communication with upstream servers and the E2E encryption implementation are two notable ones. Additionally, despite the fact that this work focused on WhatsApp, other popular Android messaging applications (e.g. Viber, Facebook Messenger), or even mobile games might be unwillingly exposing a similar attack surface to remote adversaries.”