Awful reporting. Vague workarounds for an issue "reported by Google Project Zero" without links to said report, but with links to Forbes (who interviewed one of WhatsApp's competitors about WhatsApp's security while their own app doesn't even do proper E2EE). Was there a human involved in publishing this page? If so, was leaving out the link to Project Zero intentional?
You can always enable lockdown mode and disable downloading media to protect against undetected vulnerabilities of course, but the bug has been fixed and you just need to update for the problem to go away.
mikkupikku 15 hours ago [-]
Journalists (and their editors) are allergic to proper citations. This is just standard reporting stuff, not unusual in the least.
charcircuit 14 hours ago [-]
What is the actual implication of the attack. That your mobile data might be wasted?
toast0 14 hours ago [-]
Sure, excess data use.
But media files that exploit parsers is the bigger issue. Errors in parsing have allowed for code execution, etc, in whatever context the parser runs; look into Stagefright and the many similar exploits before and after. Accepting media files from anywhere without user interaction is pretty risky. WhatsApp has a media file sanitizer, but it may not catch everything.
Disclosure: I worked at WhatsApp until 2019; but not on the media file sanitizer.
charcircuit 11 hours ago [-]
But this exploit is about downloading the media. There doesn't seem to be a way to view it to trigger parsing it?
Edit: Rereading the big report it seems implied that it is not just talking about downloading the images, but also trying to show them.
toast0 10 hours ago [-]
If the file is placed in your phone's media folder, it may be displayed when you use media features on your phone. It may also be processed automatically by other software; maybe to generate a thumbnail for use in the system media view or other reasons.
testdelacc1 14 hours ago [-]
The implication being that if the attacker could also craft a malicious payload that would cause a buffer overflow, they could chain the exploits to get remote code execution on the client.
While anyone can perform the attack described in the bug, it takes a very sophisticated attacker to craft the payload that can exploit Android’s media library.
j45 14 hours ago [-]
Neat tool.
Prolificity (ooh, invented word?) could be more than quantity of words, maybe quality too?
Rendered at 07:23:27 GMT+0000 (Coordinated Universal Time) with Vercel.
Anyway, according to Google Project Zero, the issue has been fixed with a comprehensive fix: https://project-zero.issues.chromium.org/issues/442425914
You can always enable lockdown mode and disable downloading media to protect against undetected vulnerabilities of course, but the bug has been fixed and you just need to update for the problem to go away.
But media files that exploit parsers is the bigger issue. Errors in parsing have allowed for code execution, etc, in whatever context the parser runs; look into Stagefright and the many similar exploits before and after. Accepting media files from anywhere without user interaction is pretty risky. WhatsApp has a media file sanitizer, but it may not catch everything.
Disclosure: I worked at WhatsApp until 2019; but not on the media file sanitizer.
Edit: Rereading the big report it seems implied that it is not just talking about downloading the images, but also trying to show them.
While anyone can perform the attack described in the bug, it takes a very sophisticated attacker to craft the payload that can exploit Android’s media library.
Prolificity (ooh, invented word?) could be more than quantity of words, maybe quality too?