Researchers from checkpoint have identified a new vulnerability using which an attacker could have exploited a high security vulnerability using which an adversary read sensitive information from the memory of an application simply through the message app by sending a specially crafted image. The vulnerability with CVE-2020-1910 can crash WhatsApp by switching between various filters on malicious GIF files .

WhatsApp Brand Resources

Check Point Research (CPR) recently revealed a new Out-Of-Bounds read-write vulnerability in the popular messaging application. The issue, which has been patched and remains theoretical, would have required complex steps and extensive user interaction in order to exploit, and could have allowed an attacker to read sensitive information from WhatsApp memory. WhatsApp confirmed that they saw no evidence of abuse related to this vulnerability.” reads the advisory.

Source: checkpoint

Whatsapp has also released a statement to this vulnerability which states “This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users. As with any tech product, we recommend that users keep their apps and operating systems up to date, to download updates whenever they’re available, to report suspicious messages, and to reach out to us if they experience issues using WhatsApp.

Whatsapp had released the fix in the version during the February month security updates which had introduced two new checks in source image and filter image as like below:

  • Validates that the image format equals 1 (ANDROID_BITMAP_FORMAT_RGBA_8888). This means that both source and filter images must be in RGBA format.
  • Validates image size by checking that the (stride*height)/4 equals width*height.
    Because “stride” equals the number of bytes per pixel multiplied by width, the second check actually ensures that the image indeed has 4 bytes per pixel.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s