WhatsApp recently addressed two security vulnerabilities in its app for Android that could have been exploited by remote attackers to execute malicious code on a target device and potentially eavesdrop on communications.
The vulnerabilities allow attackers to conduct “man-in-the-disk” attacks that are usually possible when mobile apps improperly manage External Storage that is shared across all applications on the device.
The attacks stem from the ability of attackers to compromise an app by manipulating certain data being exchanged between it and the external storage.
“we will have a look at how a simple phishing attack through an Android messaging application could result in the direct leakage of data found in External Storage (/sdcard). Then we will show how the two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.” reads the analysis of researchers from Census Labs which reported one of the two issues(CVE-2021-24027). “With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise  protocol keys used for end-to-end encryption in user communications.”
The CVE-2021-24027 flaw stems from the implementation of content providers in Chrome, which is an IPC mechanism that is used by an application to share resources with any other application, and a same-origin policy bypass in the browser (CVE-2020-6516).
An attacker can trigger the issue by sending a specially-crafted HTML file to a victim via WhatsApp, which once opened in the victim’s browser, executes the attacker’s code contained in the HTML file.
The code could also allow attackers to access data stored in the external storage. This attack could be exploited to access data stored by WhatsApp, including TLS session keys which are stored in a sub-directory.
Upon obtaining the session keys, threat actors can perform a stage a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs which are used to implement end-to-end encryption of user communications.
“WhatsApp comes with a debugging mechanism that allows its development team to catch fatal errors happening in the wild during the first few days of a release. More specifically, if an OutOfMemoryError exception is thrown, a custom exception handler is invoked that collects System Information, WhatsApp Application Logs, as well as a dump of the Application Heap (collected using android.os.Debug::dumpHprofData()). These are uploaded to crashlogs.whatsapp.net.” states the report.
When OutOfMemoryError exception is thrown, WhatsApp uploads the encoded key pairs along with other data to logs server. This happens only when the devices run a new version of the app and “less than 10 days have elapsed since the current version’s release date.”
The attackers could deliberately throw the exception to force the data being sent to the server and intercept it.
Google mitigated this attack by introducing the “scoped storage” model that allows each app to access only their own app-specific cache files.
The above vulnerabilities were addressed by WhatsApp with the release of version 184.108.40.206.
“CENSUS strongly recommends to users to make sure they are using WhatsApp version 220.127.116.11 or greater on the Android platform, as previous versions are vulnerable to the aforementioned bugs and may allow for remote user surveillance. CENSUS has tracked the TLS 1.2 man-in-the-disk vulnerability under CVE-2021-24027.” concludes the report.
“There are many more subsystems in WhatsApp which might be of great interest to an attacker. The communication with upstream servers and the E2E encryption implementation are two notable ones. Additionally, despite the fact that this work focused on WhatsApp, other popular Android messaging applications (e.g. Viber, Facebook Messenger), or even mobile games might be unwillingly exposing a similar attack surface to remote adversaries.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, WhatsApp)