Vulnerabilities in WhatsApp Allow Remote Code Execution


Two dangerous vulnerabilities were found in the popular messaging app WhatsApp for Android. By exploiting these exploits, you can remotely execute malicious code on the device and steal confidential information. The issues affect devices running all versions up to and including Android 9 and are related to how the software exchanges sensitive data with the device's external storage.


Vulnerabilities in WhatsApp can remotely steal TLS protocol cryptographic data for TLS 1.3 and TLS 1.2 sessions. With the secrets of TLS at hand, conducting a MitM attack can compromise WhatsApp communications, remotely execute code on the victim's device, and steal the used Noise keys for end-to-end encryption, ”explained experts from Census Labs.


Specifically, one of the vulnerabilities (CVE-2021-24027) exploits Chrome support for Android content providers (via the "content: //" URL scheme) and the browser policy bypass vulnerability ( CVE-2020-6516 ), thereby by allowing the attacker to send a specially crafted HTML file to the victim via WhatsApp, which, when opened in a browser, executes the code. Malicious code can be used to access any resource in an unsecured external storage area, including WhatsApp resources and TLS session key data in a subdirectory.

Armed with the keys, an attacker can then launch a MitM attack to remotely execute code or even steal the Noise protocol key pair, which is used to control the encrypted communication channel between the client and the server at the transport security layer.

When such a crash occurs, WhatsApp's debugging engine downloads the encoded key pairs, along with application logs, system information, and other memory contents, to a dedicated crash log server (crashlogs.whatsapp.net). Although the debugging process is designed to intercept critical problems in the application, the MitM attack initiates this download only in order to intercept the connection and "reveal all sensitive information intended to be sent to WhatsApp's internal infrastructure."

Although experts are uncertain if the vulnerabilities have been exploited in real attacks, the version 2.21.4.18 of WhatsApp fixes the vulnerabilities.

Previous Post Next Post