Description
WhatsApp Android has a contact gating bypass in groups that leads to interaction-less media download...
Basic Information
ID
PACKETSTORM:212313
Published
Dec 2, 2025 at 00:00
Affected Product
Affected Versions
Background
To prevent security issues and spam, WhatsApp for Android requires some form of user interaction to automatically download files from non-contacts:
a. After adding someone as a contact, all future received images/files will be downloaded.
b. For individual chats, if you respond to a non-contact future media/documents will be automatically downloaded.
c. For group chats, opening the group once will cause all future messages to be downloaded from that group.
d. Manually pressing download on an image from a non-contact will also download the media/document.
After downloading files they can appear in the MediaStore database which can open up attack surface. Whatsapp calls MEDIA_SCANNER_SCAN_FILE immediately after download on the file so it should show up immediately in MediaStore. Vulnerabilities that bypass any of these, can result in vulnerabilities like
PZ-442423708 and PZ-443741909 being reachable without any of the user interaction listed above. This vulnerability requires the precondition of knowing, guessing, or leaking a contact making it lower severity than a full contact gating bypass. However it's easy to attempt this many times in quick succession, and likely easy to guess contacts in targeted attacks.
VULNERABILITY DETAILS/REPRODUCTION CASE
Attacker creates a WhatsApp Group
Attacker adds Victim to Whatsapp Group
Attacker adds Victim's Contact to Whatsapp group
Attacker promotes Victim's Contact to admin
Attacker sends a presumably malicious image to the WhatsApp Group (WhatsApp web is the easiest to avoid errors on the sender's client)
Victim's device will automatically download the image without ever interacting with the group
6.a. Note the image is not downloaded by the Victim's Contact
Note, to verify the photo is now in the MediaStore database run adb shell content query --uri content://media/external/file --projection _data on the Victim's device.
Note: Disabling Automatic Download or enabling WhatsApp Advance Privacy Mode prevents the file from being automatically downloaded.
VERSION
WhatsApp Version: 2.25.23.81 (stable on WhatsApp Website).
WhatsApp Version: 2.25.22.80 (stable on play store)
Credit Information
Brendon Tiszka of Google Project Zero.
This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-11-30.
To prevent security issues and spam, WhatsApp for Android requires some form of user interaction to automatically download files from non-contacts:
a. After adding someone as a contact, all future received images/files will be downloaded.
b. For individual chats, if you respond to a non-contact future media/documents will be automatically downloaded.
c. For group chats, opening the group once will cause all future messages to be downloaded from that group.
d. Manually pressing download on an image from a non-contact will also download the media/document.
After downloading files they can appear in the MediaStore database which can open up attack surface. Whatsapp calls MEDIA_SCANNER_SCAN_FILE immediately after download on the file so it should show up immediately in MediaStore. Vulnerabilities that bypass any of these, can result in vulnerabilities like
PZ-442423708 and PZ-443741909 being reachable without any of the user interaction listed above. This vulnerability requires the precondition of knowing, guessing, or leaking a contact making it lower severity than a full contact gating bypass. However it's easy to attempt this many times in quick succession, and likely easy to guess contacts in targeted attacks.
VULNERABILITY DETAILS/REPRODUCTION CASE
Attacker creates a WhatsApp Group
Attacker adds Victim to Whatsapp Group
Attacker adds Victim's Contact to Whatsapp group
Attacker promotes Victim's Contact to admin
Attacker sends a presumably malicious image to the WhatsApp Group (WhatsApp web is the easiest to avoid errors on the sender's client)
Victim's device will automatically download the image without ever interacting with the group
6.a. Note the image is not downloaded by the Victim's Contact
Note, to verify the photo is now in the MediaStore database run adb shell content query --uri content://media/external/file --projection _data on the Victim's device.
Note: Disabling Automatic Download or enabling WhatsApp Advance Privacy Mode prevents the file from being automatically downloaded.
VERSION
WhatsApp Version: 2.25.23.81 (stable on WhatsApp Website).
WhatsApp Version: 2.25.22.80 (stable on play store)
Credit Information
Brendon Tiszka of Google Project Zero.
This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-11-30.