Check Point Research (CPR) announced on Thursday that it had discovered a security flaw in WhatsApp’s image filter function that could have been exploited by attackers to read sensitive data, which WhatsApp has since patched it.
In a statement, CPR stated, “CPR exposed a security vulnerability in WhatsApp…An attacker could have exploited the vulnerability to read sensitive information from WhatsApp memory,”
CPR discovered that switching between various filters on crafted GIF files caused WhatsApp to crash during its research study, and that the vulnerability was rooted in WhatsApp’s image filter function.
It noted “CPR identified one of the crashes as memory corruption. CPR promptly reported the problem to WhatsApp, who named for the vulnerability CVE-2020-1910, detailing it as an out-of-bounds read and write issue,”
CPR added that an attacker would have needed to apply appropriate image filters to a specifically crafted image and send the resulting image to successfully exploit the vulnerability.
Check Point Head of Products Vulnerabilities Research Oded Vanunu, said “With over two billion active users, WhatsApp can be an attractive target for attackers. Once we discovered the security vulnerability, we quickly reported our findings to WhatsApp, which was cooperative and collaborative in issuing a fix. The result of our collective efforts is a safer WhatsApp for users worldwide,”
When contacted, a WhatsApp spokeswoman stated that the firm collaborates with security researchers on a regular basis “to improve the numerous ways WhatsApp protects people’s messages, and we appreciate the work that Check Point does to investigate every corner of our app”.
The spokesperson added “People should have no doubt that end-to-end encryption continues to work as intended and people’s messages remain safe and secure,”