WhatsApp patches vulnerability related to image filter functionality

Check Point Research discovered the vulnerability, which involved maliciously crafted image files.
Written by Jonathan Greig, Contributor

Check Point Research has announced the discovery of a vulnerability in  the popular messaging platform WhatsApp that allowed attackers to read sensitive information from WhatsApp's memory.

WhatsApp acknowledged the issue and released a security fix for it in February. 

The messaging platform -- considered the most popular globally with about two billion monthly active users -- had an "Out-Of-Bounds read-write vulnerability" related to the platform's image filter functionality, according to Check Point Research. 

The researchers noted that exploitation of the vulnerability would have "required complex steps and extensive user interaction." WhatsApp said there is no evidence that the vulnerability was ever abused.  

The vulnerability was triggered "when a user opened an attachment that contained a maliciously crafted image file, then tried to apply a filter, and then sent the image with the filter applied back to the attacker."

Check Point researchers discovered the vulnerability and disclosed it to WhatsApp on November 10, 2020. By February, WhatsApp issued a fix in version that added two new checks on source images and filter images. 

"Approximately 55 billion messages are sent daily over WhatsApp, with 4.5 billion photos and 1 billion videos shared per day. We focused our research on the way WhatsApp processes and sends images. We started with a few image types such as bmp, ico, gif, jpeg, and png, and used our AFL fuzzing lab at Check Point to generate malformed files," the report explained. 

"The AFL fuzzer takes a set of input files and applies various modifications to them in a process called a mutation. This generates a large set of modified files, which are then used as input in a target program. When the tested program crashes or hangs due to these crafted files, this might suggest the discovery of a new bug, possibly a security vulnerability." 

From there, the researchers began to "fuzz" WhatsApp libraries and quickly realized that some images could not be sent, forcing the team to find other ways to use the images. They settled on image filters because they require a significant number of computations and were a "promising candidate to cause a crash."

Image filtering involves "reading the image contents, manipulating the pixel values and writing data to a new destination image," according to the Check Point researchers, who discovered that "switching between various filters on crafted GIF files indeed caused WhatsApp to crash."

"After some reverse engineering to review the crashes we got from the fuzzer, we found an interesting crash that we identified as memory corruption. Before we continued our investigation we reported the issue to WhatsApp, which gave us a name for this vulnerability: CVE-2020-1910 Heap-Based out-of-bounds read and write. What's important about this issue is that given a very unique and complicated set of circumstances, it could have potentially led to the exposure of sensitive information from the WhatsApp application," the researchers said. 

"Now that we know we have Heap Based out of bounds read and write according to WhatsApp, we started to dig deeper. We reverse-engineered the libwhatsapp.so library and used a debugger to analyze the root cause of the crash. We found that the vulnerability resides in a native function applyFilterIntoBuffer() in libwhatsapp.so library."

The crash is caused by the fact that WhatsApp assumes both the destination and source images have the same dimensions, and a "maliciously crafted source image" of a certain size can lead to an out-of-bounds memory access, causing a crash. 

The fix for the vulnerability now validates that the image format equals 1, meaning both the source and filter images have to be in RGBA format. The new fix also validates the image size by checking the dimensions of the image. 

In a statement, WhatsApp said they appreciated Check Point's work but noted that no one should worry about the platform's end-to-end encryption. 

"This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users," WhatsApp explained. 

"As with any tech product, we recommend that users keep their apps and operating systems up to date, to download updates whenever they're available, to report suspicious messages, and to reach out to us if they experience issues using WhatsApp." 

Facebook, which owns WhatsApp, announced in September 2020 that it would launch a website dedicated to listing all the vulnerabilities that have been identified and patched for the instant messaging service.

WhatsApp previously released a fix for a vulnerability related to a bug in the Voice over IP (VoIP) calling feature of the app on both iOS and Android. 

Burak Agca, an engineer at cloud security company Lookout, told ZDNet that concern about WhatsApp comes from the well publicized capabilities of spyware created by NSO Group and originally discovered by Lookout and The Citizen Lab.

"We have seen multiple variants of the same attack. We have observed that such attacks typically execute an exploit chain taking advantage of multiple vulnerabilities across the app and the operating system in tandem. For example, the first such discovered chain exploited a vulnerability (since patched) in the Safari browser to break out of the application sandbox, following which multiple operating system vulnerabilities (also, since patched) were exploited to elevate privileges and install spyware without the user's knowledge," Agca said. 

"The WhatsApp exploit seems to exhibit a similar behavior, and the end-to-end details of these types of exploits come under scrutiny by the security community. For individuals and enterprises, it is clear relying on WhatsApp saying its messaging is encrypted end to end is simply not enough to keep sensitive data safe."

Editorial standards