Midnight Talk - Reading Arbitrary Local Files via Image Sharing
A WhatsApp Android Vulnerability I Discovered in 2018
In 2018, I discovered a vulnerability in the WhatsApp Android application that allowed for local file disclosure on the victim’s device simply by sending them a crafted image. I’m sharing this years later, as the issue has long been patched, but the principles remain relevant.
Once the image was received and opened, I could access the contents of any readable file on their device, including sensitive system files and app data. The vulnerability revolved around how WhatsApp handled image URIs when previewing or processing incoming media files.
WhatsApp, at the time, used a mechanism that allowed file URIs to be embedded in metadata or manipulated via crafted file paths.
Impact
This effectively allowed an attacker to read arbitrary files from the WhatsApp user’s device as long as they had read permissions.
Proof of Concept
More Articles
Continue reading about cybersecurity
How We Gained Full Access to a $100M Zero-Trust Startup
A deep dive into a real-world penetration test that discovered critical vulnerabilities, including SSRF and AWS privilege escalation, leading to a complete infrastructure compromise.
OWASP CTF 2025
We Came. We Hacked. We Almost Conquered. 2nd Place 🥈