WhatsApp Photo Filter flaw allowed Attackers to exploit data
A security vulnerability in WhatApp’s image filter component could have been exploited by the attackers to send an infected image over the app in an attempt to read sensitive information from the memory of the app.
The flaw is tracked as CVE-2020-1910 (CVSS score: 7.8). It concerns out-of-bounds read/write and originates from applying image filters to a rogue image and transferring the changed image to a recipient, allowing the adversary to gain access to valuable data in the app’s memory.
Whatsapp’s advisory stated that missing bounds check in WhatsApp for Android versions before 188.8.131.52 and WhatsApp Business for Android versions before 184.108.40.206 could have permitted out-of-bounds read and write if the user applied particular filters to images and sent it.
Check Point Research, the Cybersecurity firm, identified and reported the issue to the Facebook-owned platform after testing its ability to crash WhatsApp through switching between filters on the infected GIF files. The flaw has now been patched.
The flaw was particularly rooted in an “applyFilterIntoBuffer()” function that controls image filters. It takes the source image, puts on the user-selected filter, and copies the outcome into the destination buffer. The researcher conducted reverse-engineering on the “libwhatsapp.so” library and found that the vulnerable function depended on the supposition that the source and filtered images have the same dimensions along with the same RGBA color format.
Since each RGBA pixel is stored as 4 bytes, an image with 1 byte per pixel can be only be exploited to attain an out-of-bounds memory access. This is because the function makes an attempt to read and copy 4 times the quantity of the allocated source image buffer.
WhatsApp stated that it is of the belief that no users would have been affected by this flaw. The WhatsApp version 220.127.116.11 and all later ones have two new checks added on the source image and filter image that make sure that the images are in RGBA format and that they have 4 bytes per pixel to avoid reads by unauthorized personnel.