Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device
🏆 Facebook Hall of Fame Award 2019 (Whitehat Report #106535943952122)
Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.
A bug allows anyone who has the victim phone to read all their contacts list without unlocking the device.
In WhatsApp voice/video call 📞, “Add participant” option is available to add more contacts to the call (👥 Group call).
I started one-on-one voice/video call and tapped “Add participant” button in the top right corner, now it displays all the contacts without asking security lock when the device is locked 🔒.
This vulnerability is exploitable in some stock android based devices.
✔️ Issue patched in version 2.19.198
- Google Pixel (Android 8.1)
- Moto g4 plus (Android 7.0)
June 13, 2019: Report submitted.
June 17, 2019: Facebook unable to reproduce the issue and requested further clarifications.
June 18, 2019: Clarifications sent.
July 10, 2019: Facebook forwarded the report to WhatsApp Product Team.
August 16, 2019: Issue patched and bounty awarded by Facebook.
I would like to thank Facebook Security Team for the bounty 💵.
📽️ PoC video
If you like this article, please click the👏 button.
Thanks for reading this article! 🙏