A now-patched high-severity security vulnerability in WhatApp’s image filter feature could have been abused to send a malicious image over the messaging app to read sensitive information from the app’s memory.
Tracked as CVE-2020-1910 (CVSS score: 7.8), the flaw concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the altered image to an unwitting recipient, thereby enabling an attacker to access valuable data stored the app’s memory.
“A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially-crafted image and sent the resulting image,” WhatsApp noted in its advisory published in February 2021.
Cybersecurity firm Check Point Research, which disclosed the issue to the Facebook-owned platform on November 10, 2020, said it was able to crash WhatsApp by switching between various filters on the malicious GIF files.
Specifically, the issue was rooted in an “applyFilterIntoBuffer()” function that handles image filters, which takes the source image, applies the filter selected by the user, and copies the result into the destination buffer. By reverse-engineering the “libwhatsapp.so” library, the researchers found that the vulnerable function relied on the assumption that both the source and filtered images have the same dimensions and also the same RGBA color format.
Given that each RGBA pixel is stored as 4 bytes, a malicious image having only 1 byte per pixel can be exploited to achieve an out-of-bounds memory access since the “function tries to read and copy 4 times the amount of the allocated source image buffer.”
WhatsApp said it has “no reason to believe users would have been impacted by this bug.” Since WhatsApp version 2.21.1.13, the company has added two new checks on the source image and filter image that ensure that both source and filter images are in RGBA format and that the image has 4 bytes per pixel to prevent unauthorized reads.