Full Disclosure mailing list archives

Re: Follow-up on CVE-2017-8769 - WhatsApp Issues with Media Files

From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 8 Dec 2017 05:48:11 -0500

On Tue, Dec 5, 2017 at 5:27 PM, Nightwatch Cybersecurity Research
<research () nightwatchcybersecurity com> wrote:

[https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-whatsapp-for-android-privacy-issues-with-handling-of-media-files-cve-2017-8769/]

We reported an issue earlier this year to WhatsApp / Facebook, where
after deleting chats the media files would be retained on the device.
The vendor fixed the issue by adding an option of deleting these
files. HOWEVER, our testing now shows that the fix doesn't always work
and the vendor doesn't acknowledge the issue as a security problem. We
have updated the advisory accordingly and are recommending that users
delete the media files from the SD card manually.


Deleting files from the SDcard likely won't fix the problem. The
vendor has to fix the problem by avoiding plain text on the disk.

Also see "Reliably Erasing Data From Flash-Based Solid State Drives,"
https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf .

Jeff

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Follow-up on CVE-2017-8769 - WhatsApp Issues with Media Files Nightwatch Cybersecurity Research (Dec 08)
- Re: Follow-up on CVE-2017-8769 - WhatsApp Issues with Media Files Jeffrey Walton (Dec 12)