Researchers discovered a new WhatsApp bug hidden in its pic-retouching function that could allow an attacker to steal sensitive data stored in WhatsApp memory, so you should always be careful whose pics you view and keep the app updated.
The security vulnerability hid inside WhatsApp’s pic-retouching tool and was disclosed by Check Point Research (CPR). Hackers can exploit the bug by applying specific image filters to a specially crafted image, such as a malformed .GIF file, and sending it to potential victims. These image filters are available among other visual-effects tools in WhatsApp used to change the color, saturation, tone, and so on.
According to CPR, the vulnerability (CVE-2020-1910) scores a 7.8 out of 10 on the CVSS vulnerability-severity scale. Researchers noted that the bug is due to a memory-corruption error – a read-and-write issue. Usually, this type of vulnerability can allow hackers to obtain personal sensitive data or cause the app to crash.
CPR said in a Thursday report that they “learned that switching between various filters on crafted .GIF files indeed caused WhatsApp to crash.”
“What’s important about this issue is that given a very unique and complicated set of circumstances, it could have potentially led to the exposure of sensitive information from the WhatsApp application,” CPR added.
WhatsApp Bug CVE-2020-1910 Explained
CPR found that the bug was contained in a native WhatsApp function called “applyFilterIntoBuffer()” in the libwhatsapp.so library. This specific function can input the following three AndroidBitmap objects:
- “src_jbitmap” – Represents the input image.
- “flt_jbitmap” – Represents the filter to apply.
- “dst_jbitmap” – Holds the result of the new image.
What the function does is look at the original image pixels, calculate new pixel values by applying the filter, then copy those values into the destination buffer.
In order to do so, it instructs the “AndroidBitmap_getInfo” WhatsApp function to gather data about the source and filtered image, which leads to a structure called “AndroidBitmapInfo.” This includes all sorts of data about image parameters, like width, height, stride, format, and flags.
According to CPR, every time the function performs this action, both the source and destination buffers advance by the value of the image height parameter multiplied times four, representing the column size in bytes.
“The problem is that both destination and source images are assumed to have the same dimensions and also the same-format RGBA [color value] (meaning each pixel is stored as four bytes, hence the multiplication by four),” according to the researchers. “However, there are no checks performed on the format of the source and destination images.”
This gives hackers the chance to create a maliciously designed source image with only one byte per pixel, which will make the vulnerable WhatsApp function try to read and copy four times the allocated source image buffer, resulting in an out-of-bounds memory access.
“This is the crash we got…caused by the program trying to read from an unmapped memory region,” researchers explained.
WhatsApp Bug Exploited – How Damaging Could This Attack Be?
CPR didn’t disclose many details regarding the exploits of the new WhatsApp bug in practice, nor what kind of information could be stolen by attackers. However, a spokesperson noted that “the scenario for exploitation is a bit complex and requires extensive user interaction to execute.”
“We have seen multiple variants of the same attack. We have observed that such attacks typically execute an exploit chain taking advantage of multiple vulnerabilities across the app and the operating system in tandem. For example, the first such discovered chain exploited a vulnerability (since patched) in the Safari browser to break out of the application sandbox, following which multiple operating system vulnerabilities (also, since patched) were exploited to elevate privileges and install spyware without the user’s knowledge.”
Burak Agca, an engineer at Lookout
He went on to add that “The WhatsApp exploit seems to exhibit similar behavior, and the end-to-end details of these types of exploits come under scrutiny by the security community. For individuals and enterprises, it is clearly relying on WhatsApp saying its messaging is encrypted end-to-end is simply not enough to keep sensitive data safe.”
The opportunities for this kind of attack are huge, with the massive numbers of WhatsApp users: “With over two billion active users, WhatsApp can be an attractive target for attackers,” Oded Vanunu, head of products vulnerabilities research at Check Point, said, adding that circa 55 billion messages, 4.5 billion photos, and 1 billion videos are shared every day on the messaging platform.
Latest WhatsApp Update To Fix The Problem
WhatsApp’s developers patched the vulnerability in version 18.104.22.168, so make sure you keep your app updated.
“People should have no doubt that end-to-end encryption continues to work as intended and people’s messages remain safe and secure,” WhatsApp said in a statement. “This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users. As with any tech product, we recommend that users keep their apps and operating systems up to date, to download updates whenever they’re available, to report suspicious messages, and to reach out to us if they experience issues using WhatsApp.”