Last week, reports, like this one from Dark Reading, surfaced a remotely exploitable bug found in Facebook’s popular WhatsApp chat app, that spies on users and specifically targeted human rights groups. Facebook patched the flaw last week in the latest WhatsApp version 2.19.244.
At Sonatype, we emphasize knowing what’s vulnerable in your code as deployed versus what developers declare they are using. In the case of Facebook, proprietary code relied on an open source component of which embedded native C code became vulnerable. They decided to eliminate the dependency, but the episode proves that not having a grasp of the components your core code depends on can have negative consequences.
Facebook and WhatsApp, two “free” social media apps, represent juicy targets for malicious behavior. How the apps are built, and specifically, how they use processor memory, invites exploiting this vector.
Dark Reading’s Jai Vijayan explains:
“The bug does not exist in WhatsApp itself but rather in an open source library that the application uses to parse media files. The so-called double-free vulnerability (tracked as CVE-2019-11932) stems from how memory is allocated when GIF images are parsed in WhatsApp. A double-free vulnerability involves an app calling the same memory space on a device twice, resulting in a memory leak.”
When We Contain These Risks, Others Do, Too
Developers who unknowingly use compromised libraries pass along the risks to others. Our own DJ Schleen explains in this video.
DJ’s two recommendations:
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/whatsapp-double-free-double-trouble