tl;dr WhatsApp stored TLS session resumption files on the sdcard where a malicious application or some social engineering attacker could read.

Man in the Disk, any sort of attack that can allow an attacker to modify or read sensitive files from the disk. In WhatsApp’s case, its just weak file permissions when storing TLS session information (used to TLS session resumption) on the sdcard rather than within the sandboxed application data directory.

The Writeup also explores how this could be abused, first leaking the sdcard content with some social engineering and a Chrome CVE that incorrectly applies restrictions on what files JS from a content:// page can read allowing a JS file opened to basically read any file through the Media Content provider including the WhatsApp session cache files.

Once an attacker has the session resumption information it becomes possible to MitM the connection and either attack the extraction process when downloading stickers and such to overwrite WhatsApp libraries, or expose the Noise protocol key-pair to snoop on e2e traffic.