POSTED BY: Chariton Karamitas / 14.04.2021

WhatsApp exposure of TLS 1.2 cryptographic material to third party apps

CENSUS ID:CENSUS-2021-0002
CVE ID:CVE-2021-24027
Affected Products:WhatsApp Messenger for Android, versions prior to 2.21.4.18
Class:Exposure of Sensitive Information to an Unauthorized Control Sphere (CWE-497)
Discovered by:Chariton Karamitas

CENSUS identified that versions prior to 2.21.4.18 of WhatsApp for Android allowed third party apps to access WhatsApp TLS 1.2 cryptographic material, as this was stored in "app-specific external storage". On Android 9 and previous versions of Android, the material is exposed to any third party app that bears the READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE permission. On Android 10 a malicious app would also require the requestLegacyExternalStorage attribute to access the files. Through the installation of a malicious app, or alternatively, through the exploitation of a vulnerable app (or Android component) that resides on a WhatsApp user's mobile device, remote actors were able to control the victim user's TLS session cryptographic secrets and could thus perform Man-in-The-Middle attacks to WhatsApp communications. Research has shown that exploitation of this vulnerability can lead to remote code execution on the victim device. CENSUS strongly recommends updating WhatsApp to version 2.21.4.18 or greater. This is a serious vulnerability which could be abused for surveillance purposes.

Vulnerability Details

WhatsApp Messenger from Facebook is a popular messaging application used by millions of users to exchange information. Google Play reports that there have been more than 5 billion installations of WhatsApp Messenger on user devices. The app uses TLS and the Noise protocol for the protection of client-to-server communications, while the Signal protocol is used for the protection of user-to-user communications.

CENSUS identified that versions of WhatsApp for Android prior to 2.21.4.18 store TLS 1.2 Master key material under the External Cache Directory (see Context.getExternalCacheDir). The External Cache Directory is mapped to an app-specific folder under External Storage (/sdcard/Android/data/<app>/cache). WhatsApp uses the SSLSessionCache/ sub-directory of the External Cache Directory to store the TLS 1.2 Master key cryptographic material.

On devices running Android versions up to and including Android 9, the cryptographic material becomes exposed to any third party application bearing the READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE permission. Please note that in 2019 Google reported that nearly 50% of the applications published on Google Play requested the READ_EXTERNAL_STORAGE permission from the user. On Android 10, a third party app is also required to have the requestLegacyExternalStorage attribute enabled in order to access the WhatsApp cryptographic material.

A "man-in-the-middle" adversary with access to the exposed cryptographic material would be able to eavesdrop and/or modify WhatsApp communications. This issue has been assigned CVE-2021-24027.

Android 10 introduced scoped storage to proactively defend against such "man-in-the-disk" attacks. Scoped storage severely limits the access that an app has on content created by other apps. For example, applications that have not been vetted as trusted file managers by Google, will not get access to app-specific external storage directories of other apps. The Android project provided developers with a transitional period for the changes imposed by scoped storage (see requestLegacyExternalStorage attribute in Android 10). The first version of Android that enforces strict scoped storage rules across all apps is Android 11.

Exploitation

This vulnerability can be exploited in scenarios where the attacker has previously set a foothold on the victim device through:

  • installation of a malicious app
  • exploitation of another vulnerability in an installed app or an Android component

Research has shown that exploitation can lead to successful man-in-the-middle attacks and remote code execution on victim devices. Further analysis of the exploitation implications of this vulnerability and a demonstration of the related attacks can be found in the dedicated blog post. CENSUS considers this a serious vulnerability as it could be abused for user surveillance purposes.

Recommendation

CENSUS has verified that the vulnerability has been patched correctly in version 2.21.4.18 of WhatsApp for Android. TLS 1.2 session secrets are now stored in the app's private directory. We strongly recommend to users, especially users running WhatsApp on Android 10 (or on previous Android releases), to update WhatsApp to version 2.21.4.18 or greater.

Disclosure Timeline

Vendor Contact:February 9, 2021
Vendor Fix Released:February 23, 2021
CVE Allocation:March 3, 2021 (by Facebook)
Public Advisory:April 5, 2021