A high-severity security vulnerability in WhatApp’s image filter feature, tracked as CVE-2020-1910, could have been exploited by attackers to read sensitive information from the app’s memory by simply sending a specially crafted image over the messaging app
The flaw was discovered by Check Point experts on November 10, 2020, they discovered that the issue can allow attackers to crash WhatsApp by switching between various filters on the malicious GIF files.
The vulnerability is an out-of-bounds read/write issue and stems from applying specific image filters to a rogue image and sending the altered image to a target user, the flaw has received a CVSS score of 7.8.
“A missing bounds check in WhatsApp for Android prior to v126.96.36.199 and WhatsApp Business for Android prior to v188.8.131.52 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image.” reads the advisory published by WhatsApp.
CheckPoint researchers used a fuzzing technique starting with a set of images of a few image types (i.e. bmp, ico, gif, jpeg, and png) and applied various modifications to them in a process called mutation. Then the experts analyzed the images provided as input that caused the app crash. The experts started to fuzz the interesting WhatsApp libraries and discovered that the flaw resides in the “applyFilterIntoBuffer()” function that handles image filters.
The function takes the source image, applies the filter chosen by the user, and copies the result into the destination buffer.
“We reverse-engineered the libwhatsapp.so library and used a debugger to analyze the root cause of the crash. We found that the vulnerability resides in a native function applyFilterIntoBuffer() in libwhatsapp.so library.” reads the analysis published by CheckPoint. “The problem is that both destination and source images are assumed to have the same dimensions and also the same format RGBA (meaning each pixel is stored as 4 bytes, hence the multiplication by 4).
However, there are no checks performed on the format of the source and destination images.
Therefore, when a maliciously crafted source image has only 1 byte per pixel, the function tries to read and copy 4 times the amount of the allocated source image buffer, which leads to an out-of-bounds memory access.”
WhatsApp replied to CheckPoint that this issue is complex to exploit because it requests multiple actions from the target users.
“This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users.” said WhatsApp. “As with any tech product, we recommend that users keep their apps and operating systems up to date, to download updates whenever they’re available, to report suspicious messages, and to reach out to us if they experience issues using WhatsApp.”
(SecurityAffairs – hacking, CVE-2020-1910)