WhatsApp Photo Filter bug could have led to user data exposure


A now-patched high-severity security vulnerability was found in WhatApp’s image filter feature that could have been abused by threat actors to send a malicious image to read sensitive information from the app’s memory.

The vulnerability that has been dubbed CVE-2020-1910 having a CVSS score: 7.8, concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the altered image to an unknowing recipient, thereby enabling an attacker to access valuable data stored the app’s memory.

The flaws were found in WhatsApp for Android versions prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13

The researchers from the cybersecurity firm Check Point Research has disclosed the issue to Whatsapp on November 10, 2020, by stating that they were able to crash WhatsApp by switching between various filters on the malicious GIF files.

The issue was rooted in an “applyFilterIntoBuffer()” function that handles image filters, which takes the source image, applies the filter selected by the user, and copies the result into the destination buffer. By reverse-engineering the “libwhatsapp.so” library, the researchers found that the vulnerable function relied on the assumption that both the source and filtered images have the same dimensions and also the same RGBA color format.

Given that each RGBA pixel is stored as 4 bytes, a malicious image having only 1 byte per pixel can be exploited to achieve an out-of-bounds memory access since the “function tries to read and copy 4 times the amount of the allocated source image buffer.”

WhatsApp said that they believe that the users would have not been impacted by this bug.  Since WhatsApp version, the company has added two new checks on the source image and filter image that ensure that both source and filter images are in RGBA format and that the image has 4 bytes per pixel to prevent unauthorized reads.


Please enter your comment!
Please enter your name here