Two dangerous vulnerabilities were discovered in the version of the popular WhatsApp messenger for Android. Their exploitation allows you to remotely execute malicious code on the device and steal confidential information. The issues affect devices running all versions up to and including Android 9 and are related to how the software exchanges sensitive data with the device's external storage.
“Vulnerabilities in WhatsApp can remotely steal TLS protocol cryptographic data for TLS 1.3 and TLS 1.2 sessions. With the secrets of TLS at hand, conducting a MitM attack can lead to the compromise of WhatsApp communications, remote code execution on the victim's device and theft of the used Noise protocol keys for end-to-end encryption, ”explained experts from Census Labs.
Specifically, one of the vulnerabilities ( CVE-2021-24027 ) exploits Chrome support for Android content providers (via the "content: //" URL scheme) and the browser policy bypass vulnerability ( CVE-2020-6516 ), thereby by allowing the attacker to send a specially crafted HTML file to the victim via WhatsApp, which, when opened in a browser, executes the code. Malicious code can be used to access any resource in an unsecured external storage area, including WhatsApp resources and TLS session key data in a subdirectory.
Armed with the keys, an attacker can then launch a MitM attack to remotely execute code or even steal the Noise protocol key pair that is used to control the encrypted communication channel between the client and the server at the transport security layer.
When such a crash occurs, WhatsApp's debugging engine downloads the encoded key pairs, along with application logs, system information, and other memory contents, to a dedicated crash log server (crashlogs.whatsapp.net). Although the debugging process is designed to intercept critical problems in the application, the MitM attack initiates this download only in order to intercept the connection and "reveal all sensitive information intended to be sent to WhatsApp's internal infrastructure."
Experts do not know if the vulnerabilities were used in real attacks. WhatsApp users are advised to update to version 126.96.36.199, which fixes the vulnerabilities.