WhatsApp Patches Vulnerability in Image Filter Function That Could Have Led to Data Exposure

WhatsApp has patched a vulnerability to allow an attacker to read sensitive information from the app’s memory, including private messages using a specially crafted image. The vulnerability was reported to WhatsApp by cybersecurity firm Check Point Research. It exists within the image filter function of WhatsApp for Android and WhatsApp Business for Android, allowings users to add filters to their images. The Facebook-owned company fixed the security issue after it was reported by Check Point researchers and claimed no evidence that the vulnerability was ever abused. Called “Out-Of-Bounds read-write vulnerability”, the case was disclosed to WhatsApp by Check Point Research on November 10, 2020.

WhatsApp took some time to fix the bug and issued a patch in February. It was provided to end-users through version 2.21.1.13 of WhatsApp for Android and WhatsApp Business for Android apps. Researchers at Check Point Research discovered the vulnerability that is technically a memory corruption issue while looking at how WhatsApp processes and sends images on its platform. During the research, it was found that the image filter function of the messaging app crashed when it was used with some specially-designed GIF files. That brought the researchers to the point where they could spot the loophole.

According to Check Point Research, the vulnerability could be triggered after a user opens an attachment containing a maliciously crafted image file, tries to apply a filter, and then sends the image with the filter used back to the attacker. The researchers, thus, noted that hackers would have required “complex steps and extensive user interaction” to exploit the issue. However, suppose it could be successfully used. In that case, the vulnerability allows hackers to read sensitive information from WhatsApp memory, including private messages and previously shared images and videos.

“Once we discovered the security vulnerability, we quickly reported our findings to WhatsApp, which was cooperative and collaborative in issuing a fix. The result of our collective efforts is a safer WhatsApp for users worldwide,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, in a prepared statement. WhatsApp has listed the vulnerability details on its security advisories site as CVE-2020-1910. The platform added two new checks on source and filter images to restrict memory access.

“People should not doubt that end-to-end encryption continues to work as intended and people’s messages remain safe and secure,” WhatsApp said in its statement to Check Point Research. “This report involves multiple steps a user would have needed to take, and we have no reason to believe users would this bug would have impacted users even the most complex scenarios researchers identify can help increase user security.” WhatsApp also recommends its users keep their apps and operating systems up to date, download updates whenever they’re available, report suspicious messages, and reach out directly to its team if they experience issues using WhatsApp.