WhatsApp has patched a vulnerability that could allow an attacker to read sensitive information from the app’s memory, including private messages using a specially crafted image. The vulnerability was reported to WhatsApp by cybersecurity firm Check Point Research, and it existed within the image filter function of WhatsApp for Android and WhatsApp Business for Android that allows users to add filters to their images. The Facebook-owned company fixed the security issue after it was reported by Check Point researchers and claimed that there was no evidence that the vulnerability was ever abused.
Called “Too far out read-compose weakness”, the issue was unveiled to WhatsApp with a money order Point Research on November 10, 2020. WhatsApp took some time in fixing the bug and gave a fix in February. It was given to enduserss through the form 126.96.36.199 of both WhatsApp for Android and WhatsApp Business for Android applications.
Analysts at Check Point Research had the option to find the vulnerability that is actually a memory corruption issue while looking at the way WhatsApp processes and sends images on its platform. During the research, it was found that the image filter function of the messaging app crashes when it was used with some specially-designed GIF files. That brought the researchers to the point from where they were able to spot the loophole.
As per Check Point Research, the vulnerability could be set off after a users opens an attachment containing a maliciously crafted image file, tries to apply a filter, and then sends the image with the filter applied back to the attacker. The researchers, thus, noted that hackers would have required “complex steps and extensive user interaction” to exploit the issue.
Nonetheless, on the off chance that it very well may be effectively taken advantage of, the weakness is professed to permit programmers to peruse touchy data from WhatsApp memory that incorporate private messages and recently shared pictures and recordings.
“Once we discovered the security vulnerability, we quickly reported our findings to WhatsApp, who was cooperative and collaborative in issuing a fix. The result of our collective efforts is a safer WhatsApp for users worldwide,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, in a prepared statement.
WhatsApp has listed the details of the vulnerability on its security advisories site as CVE-2020-1910. The platform added two new checks on source and filter images to restrict memory access.
“People should have no doubt that end-to-end encryption continues to work as intended and people’s messages remain safe and secure,” WhatsApp said in its statement given to Check Point Research. “This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users.”
WhatsApp also recommened its users to keep their applications and operating systems up to date, download updates whenever they’re available, report suspicious messages, and reach out directly to its team if they experience issues using WhatsApp.