The popular messaging app WhatsApp recently faced a major security vulnerability that could lead to sensitive data leakage. Although the exploit has now been fixed by the company, it shows that even end-to-end encryption can be bypassed by hackers.
The vulnerability was discovered by security research firm Check Point Research (CPR). According to the firm, the exploit required “complex steps and extensive user interaction” to be achieved. If performed correctly, the hacker could read sensitive information from WhatsApp’s memory.
In order to gain access to the vulnerability, the hacker needed to send an attachment that contained a specific malicious image. The user’s data was exposed after applying a filter to this image and sending it back to the attacker, which resulted in a memory crash.
The vulnerability related to the WhatsApp image filter functionality and was triggered when a user opened an attachment that contained a maliciously crafted image file, then tried to apply a filter, and then sent the image with the filter applied back to the attacker. […] During their research study, CPR learned that switching between various filters on crafted GIF files indeed caused WhatsApp to crash.
Luckily, it doesn’t seem that malicious hackers had time to use this exploit to obtain data from WhatsApp users. CPR informed WhatsApp about the vulnerability on November 10, 2020, and the bug was fixed earlier this year. Version 126.96.36.199 of the WhatsApp app now features two ways to check the integrity of an edited image with filters to avoid the exploit.
WhatsApp later thanked CPR for reporting the vulnerability, claiming that the app’s end-to-end encryption remains secure and that security research firms are important in preventing exploits like this from being used for malicious purposes.
- WhatsApp working on iMessage-like reactions; Zoom details new features for iPad
- WhatsApp for Desktop launches public beta for macOS users
- WhatsApp for iPad coming as the company works on multi-device support 2.0
FTC: We use income earning auto affiliate links. More.