WhatsApp just fixed a high-gravity security threat in the app’s image filter that could crash the program and even reveal your sensitive information to hackers.
Discovered by Check Point Research (CPR), the bug (CVE-2020-1910) concerns an out-of-bound read/write and originates from applying a particular image filter and sending the filtered image to the user, thereby opening a pathway for hackers to access sensitive data stored in the app’s memory.
The bug holds a 7.8 out of 10 ratings on the CVSS vulnerability-severity scale, as it was a memory-corruption error and impacts heap-based, out-of-bounds read and write issues. Usually, such vulnerability enables hackers to read confidential information or cause a crash.
“CPR learned that switching between various filters is crafted. GIF files indeed caused WhatsApp to crash,” according to a report published by CPR.
“What’s important about this issue is that given a very unique and complicated set of circumstances, it could have potentially led to the exposure of sensitive information from the WhatsApp application,” according to the agency.
The vulnerability was reported to WhatsApp in November 2020 and patched in the updated version 2.21.1.13 of the application, released in February 2021. This vulnerability could have been catastrophic if it was in the knowledge of hackers.
No exploitation of the bug was reported, though.
“A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially- crafted image and set the resulting image,” WhatsApp revealed in its advisory published in February 2021.
That said, update your app if you haven’t! And if your WhatsApp is already updated, you can validate the fix by this method:
- Check the image format (ANDROID_BITMAP_FORMAT_RGBA_8888). Your source image and filtered image should be in RGBA format.
- Check the image size: (stride*height/4 should be equal to width*height.
The spokesperson of WhatsApp ensured that the company works with security researchers “to improve the numerous ways WhatsApp protects people’s messages, and we appreciate the work that Check Point does to investigate every corner of our app.” ‘People should have no doubt that end-to-end encryption continues to work as intended and people’s messages remain safe and secure,” the spokesperson added.
About 55 billion messages are exchanged daily over WhatsApp, along with 4.5 billion images and 1 billion videos shared each day. A bug of such severity on a popular messaging app could wreak havoc and jeopardize the privacy of billions of users worldwide. Hence, it is recommended to keep your social apps updated or use privacy tools to prevent any potential data breach.