Patched WhatsApp Vulnerability Could Have Exposed Users Data

Security researchers with Check Point recently released information on a vulnerability that existed within WhatsApp that could have been exploited to gain illegal access to sensitive user information. The issue has since been patched by WhatsApp and does not affect current versions of the application, but Check Point published their full report on it just now.

The issue in question is codified as CVE-2020-1910 and has been assigned a high base score of 7.8. It is described by Check Point researchers as an out-of-bounds read-write bug. The report provides more details into how exactly the vulnerability could have been exploited.

The bug revolves around using the WhatsApp image filter tools. While the steps and circumstances surrounding the exploitable vulnerability are a bit convoluted, they could be reproduced easily in testing.

If a user would open an attachment image sent by a bad actor, containing a file that has been doctored in a malicious way, for example a malformed gif, then applied one of the application's image filters and finally sent the image back, this could lead to data exposure.

The application does not do format checking when working with original and destination images and can be tricked into crashing by using malformed image files.

The issue was reported by Check Point as early as November 2020 and has long since been patched by WhatsApp who mentioned it in the company's security advisory report published in early 2021.

This vulnerability highlights the importance of keeping every single application you keep on any device you own updated to its latest version. When an app is as popular as WhatsApp, with its billions of users worldwide, the potential for criminals abusing similar issues and zero-day vulnerabilities and harvesting immense amounts of data even from a tiny fraction of the application's user base is considerable.

Vulnerability CVE-2020-1910 has been fixed in WhatsApp starting with version 2.21.2.13 and up.