You better update WhatsApp right now. A researcher has discovered a nasty vulnerability in the Facebook-owned privacy-oriented messenger that made it possible to for attackers to gain access to your files and messages ⁠— by sending you a malicious GIF.

The danger stems from a double-free bug in WhatsApp, according to a researcher going by the nickname Awakened. For those unfamiliar with the term, a double-free vulnerability refers to a memory corruption anomaly that could crash an app, or worse ⁠— open up an exploit vector that attackers can abuse to obtain access to your device. All it takes to perform the attack is to craft a malicious GIF, and trick a user into loading it.

In a technical write-up on GitHub, the researcher explains the flaw resided in WhatsApp‘s Gallery view implementation, which is used to generate previews for images, videos, and GIFs.

The exploit seems to affect primarily Android devices. “The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below,” Awakened writes. “In the older Android versions, double-free could still be triggered. However, […] the app just crashes before reaching to the point that we could control the PC register.”

The researcher has already notified Facebook of this shortcoming, and the company has since fixed the issue. To protect yourself against the exploit, you should download the latest version of the app.

“Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. WhatsApp users, please do update to latest WhatsApp version (2.19.244 or above) to get rid of this bug,” the researcher urged users in his blog post.

Not a first for WhatsApp

This is hardly the first time WhatsApp has dealt with potentially harmful flaws in its software.

Earlier this year, the Financial Times reported a vulnerability in the messaging app allowed attackers to slip in spyware on users’ devices. WhatsApp rushed to fix the issue, but did not clarify how many users were affected by this loophole.

More recently, researchers found a kink in WhatsApp that made it possible to manipulate or spoof messages.

It remains unclear if attackers were able to exploit the double-free vulnerability in the wild, but we’ve reached out to Facebook for a clarification, and will update this piece accordingly if we hear back.

Compiled by Olalekan Adeleye

The Next Web