WhatsApp has recently patched a vulnerability in its image filter function that, if exploited, could lead to a user’s sensitive information being stolen.
If we were to grab a nickel for each time WhatsApp had an issue linked with user data, it wouldn’t make a shilling, but there would still be a concerning amount of money. The social media platform’s woes began all the way back in early 2021, with its policy update that threatened to hand over personal user data to Facebook, which could further loan out to third party advertisers.
When this was met with unanimous uproar and a significantly reduced userbase, WhatsApp finally relented. Then, a rather public spat with competitor Telegram followed, where the latter revealed that the former’s oft-praised end-to-end chat encryption still left user information accessible to outside parties. And now, we’re here.
This recent vulnerability was spotted by the cybersecurity firm Check Point Research.
While the issue was fixed after it was brought to the attention of WhatsApp’s developers, and was likely never exploited in the first place, the damage could have been catastrophic.
All it would have taken is any other individual or group coming to the same conclusion that Check Point did, before them. And there was quite a lot of time to exploit the weakness as well. The issue was raised on the 10th of November, 2020, and got resolved very recently. But what was the issue in the first place? Let’s take a look.
WhatsApp’s image filter.
The vulnerability was brought on as a result of WhatsApp’s image filter function; a feature present across both regular WhatsApp as well as WhatsApp Business versions.
Check Point labelled it the Out of Bound Read-Write vulnerability. While the full extent and nature of the vulnerability are obviously not revealed, to prevent exploitation, a general understanding of its setup is available. This will also reveal why no one was able to pull off the exploit in the first place.
The exploit’s setup is a very complicated, near farfetched idea that requires a lot of planning, trial & error, and luck.
Essentially, the exploit starts with a malicious individual sending in a picture that’s designed to pass through the filter and corrupt WhatsApp’s memory. Then, that image with the filter applied would have to be sent back to the original malicious user.
Now, how will anyone ever convince the other user to send the filtered image back is tricky, to say the least. However, it’s still a problem that was brought to the design team attention and perhaps in the nick of time as well.