WhatsApp has fixed a vulnerability that could allow an attacker to read sensitive information from the app’s memory, including private messages using a specially crafted image. The vulnerability was reported to WhatsApp by cybersecurity firm Check Point Research and existed within the WhatsApp for Android and WhatsApp Business for Android image filter function, which allows users to add filters to their images. The Facebook-owned company fixed the security issue after it was reported by Check Point researchers and claimed there was no evidence that the vulnerability was abused.
Dubbed “out of bounds read and write vulnerability”, the issue was disclosed to WhatsApp by Check Point Research on November 10, 2020. WhatsApp took a while to fix the bug and released a patch in February. It has been provided to end users through version 188.8.131.52 of WhatsApp for Android and WhatsApp Business for Android apps.
Check Point Research researchers were able to discover the vulnerability that is technically a memory corruption issue while observing the way WhatsApp processes and sends images on its platform. During the research, the messaging application’s image filter function was found to crash when used with some specially designed GIF files. This brought the researchers to the point where they were able to detect the breach.
According to Check Point Research, the vulnerability could be triggered after a user opens an attachment containing a maliciously crafted image file, tries to apply a filter, and then sends the image with the filter applied back to the attacker . The researchers therefore noted that hackers would have required “complex steps and extensive user interaction” to exploit the problem.
However, if it could be successfully exploited, the vulnerability allows hackers to read sensitive information from WhatsApp memory, which includes private messages and previously shared images and videos.
“Once we discovered the security vulnerability, we quickly reported our findings to WhatsApp, which was cooperative and collaborative in issuing a fix. The result of our collective efforts is a more secure WhatsApp for users around the world,” said Oded Vanunu, Head of Product Vulnerability Research at Check Point, in a prepared statement.
WhatsApp listed the vulnerability details on its security advisory site as CVE-2020-1910. The platform has added two new checks on source and filter images to restrict memory access.
“People should have no doubt that end-to-end encryption continues to work as intended and people’s messages remain safe and secure,” WhatsApp said in its statement to Check Point Research. “This report involves several steps that a user would have to take and we have no reason to believe that users would have been affected by this bug. That said, even the most complex scenarios researchers identify can help improve security for users.”
WhatsApp also recommended that its users keep their apps and operating systems up to date, download updates whenever they are available, report suspicious messages, and contact their team directly if they have problems using WhatsApp.