WhatsApp: LFD Vulnerability

Before starting to describe the issue found on WhatsApp I want to introduce the LFD Vulnerability.

The Local File Disclosure vulnerability allows an attacker to read the content of files and get important information like ftp, mysql credentials, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

  • Code execution on the underlying operating system ( in case web application has root privileges and can read the content of the /etc/shadow file and in case the attacker is able to crack /etc/shadow hashed passwords.)
  • Sensitive Information Disclosure

The vulnerable link that allows me to download the /etc/passwd file is :

http://media.whatsapp.com/directory/..%252f..%252f..%252f..%252fetc%252fpasswd


and this is the content of the /etc/passwd file

The bug has now been fixed.