Midnight Talk - Reading Arbitrary Local Files via Image Sharing

In 2018, I discovered a vulnerability in the WhatsApp Android application that allowed for local file disclosure on the victim’s device simply by sending them a crafted image. I’m sharing this years later, as the issue has long been patched, but the principles remain relevant.

Once the image was received and opened, I could access the contents of any readable file on their device, including sensitive system files and app data. The vulnerability revolved around how WhatsApp handled image URIs when previewing or processing incoming media files.

WhatsApp, at the time, used a mechanism that allowed file URIs to be embedded in metadata or manipulated via crafted file paths.

Impact

This effectively allowed an attacker to read arbitrary files from the WhatsApp user’s device as long as they had read permissions.

Proof of Concept