WhatsApp has patched a vulnerability that could allow attackers to read sensitive information from the app’s memory, including private messages, using specially crafted images. The vulnerability was reported to WhatsApp by cybersecurity firm Check Point Research, and it exists in the image filtering functionality of WhatsApp for Android and WhatsApp Business for Android that allows users to add filters to their images. The Facebook-owned company fixed the security issue after it was reported by Check Point researchers and stated that there was no evidence that the vulnerability was ever abused.
Called an “Out-Of-Bounds read-write vulnerability,” the issue was disclosed to WhatsApp by Check Point Research on November 10, 2020. WhatsApp took some time to fix the bug and released a patch on it. February. It is made available to end users via version 184.108.40.206 of both WhatsApp for Android and WhatsApp Business for Android apps.
Researchers at Check Point Research were able to uncover the flaw, which is technically a memory corruption issue, while looking at how WhatsApp handles and sends images on its platform. During research, it was found that the messaging app’s image filtering function failed when it was used with some specially designed GIF files. That brought the researchers to the point from where they were able to detect the vulnerability.
According to Check Point Research, the vulnerability could be triggered after a user opens an attachment containing a malicious image file, tries to apply a filter, and then sends the image with the filter applied back to the attacker. attack. As a result, the researchers note that hackers would require “complex steps and extensive user interaction” to exploit the problem.
However, if successfully exploited, the vulnerability is said to allow hackers to read sensitive information from WhatsApp storage including previously shared private messages, pictures and videos.
“When we discovered the security flaw, we promptly reported our findings to WhatsApp, who collaborated and collaborated in delivering the fix. The result of our collective efforts is a safer WhatsApp for users around the world,” said Oded Vanunu, Head of Product Vulnerability Research at Check Point, in a prepared statement. .
WhatsApp has detailed the vulnerability on its security advisor website as CVE-2020-1910. The platform added two new checks on the source and an image filter to restrict memory access.
“There should be no doubt that end-to-end encryption continues to work as intended and that people’s messages remain safe and secure,” WhatsApp said in a statement issued to Check Point Research. “This report involves many steps that users will need to take and we have no reason to believe that users will be affected by this bug. That said, even the most complex scenarios the researchers identified can help increase security for users.”
WhatsApp also recommends users to update their apps and operating system, download updates whenever they are available, report suspicious messages, and contact their team directly if they having trouble using WhatsApp.