Update WhatsApp NOW: a vulnerability exposes your data

WhatsApp has had very serious vulnerabilities in recent years. One of them, the most serious, allowed access to the chats and images of any user just by making a missed call through the app. Now, another vulnerability has allowed attackers to obtain personal data .

This was detailed today by Check Point Research , which discovered a vulnerability in WhatsApp that is quite difficult to exploit. For this, it is necessary a high interaction on the part of the user. The bug affects the WhatsApp image filter, which was activated when a user opens the attached image to apply filters. That image could be modified to contain malicious code. If the user edited the photo, it could generate a hang in the app and allow access to the memory.

Update WhatsApp NOW

A simple GIF for WhatsApp to hang

Researchers stumbled upon the vulnerability when they were testing malicious modifications to image formats such as BMP, ICO, GIF, JPEG, and PNG . Modifications are made with an AFL Fuzzer , which modifies the files in such a way that a program may hang on execution, generating unexpected results. In those crashes a new vulnerability can be discovered.

Therefore, they were conducting tests in different parts of the app, and decided to test the image filters. In this function, the pixels of the images are modified when we apply a filter, such as blur, add detail, change color, etc. This makes them ideal candidates to make the app hang , since there are many calculations and modifications to be made in the file, where if the app finds something unexpected, it can crash. In this case, switching between various filters on modified GIF files in WhatsApp caused WhatsApp to crash.

Reviewing the crashes, they discovered a memory corruption vulnerability. Before continuing to investigate, they communicated this to WhatsApp, assigning it the code CVE-2020-1910 . The flaw lies in a part of the WhatsApp code where the app expects to find each pixel stored in 4 bytes. The researchers stored one pixel per byte, causing the app to crash when trying to read from an unmapped area of memory.

With this, it was possible to access sensitive information in the app stored in memory . To do this, it is necessary to have remote or physical access to the device, which, for example, the FBI can do with mobiles obtained from terrorists or dangerous people.

Check Point Research contacted WhatsApp on November 10, 2020 to inform them of the vulnerability, and the company fixed it in version 2.21.1.13 released on January 21. Therefore, if you have that version or a later one, you are currently protected against the vulnerability. WhatsApp claims that it has not detected any use of the vulnerability. The company claims that the application is still perfectly secure, and that WhatsApp’s end-to-end encryption has not been affected and they have no evidence that someone has exploited this vulnerability.

The EU fines WhatsApp with 225 million euros

Today, the European Union has fined Facebook 225 million euros for not detailing to European residents how it collects their data and what it does with them on WhatsApp, in violation of the GDPR in 2018 . The fine represents 0.8% of Facebook’s profit in 2020, and is the second highest that has been imposed applying the GDPR after the one imposed on Amazon in Luxembourg for 746 million euros.