WhatsApp’s image filter feature had a high-security vulnerability that could be exploited to send malignant images over the app to retrieve sensitive info from its recollection. However, the vulnerability has since been patched.
The flaw, recognized as CVE-2020-1910 (CVSS score: 7.8), the flaw is a read/write out-of-bounds and arises from applications that apply image filters to a rogue image and send this to an unwitting recipient. The altered image may give access to valuable information held in the app’s memory.
Using categorical image filters to specially crafted images and sending the resultant images could have resulted in users processing out-of-bounds edits and reading if an error did not occur when bounds were checked within WhatsApp for Android before version 126.96.36.199, as well as WhatsApp Business for Android.
According to Check Point Research, which reported the vulnerability to Facebook on November 10, 2020, the Malignant GIF files on WhatsApp could be crashed by switching between various filters on them.
The problem occurred when applying a filter to the target buffer in a function called “applyFilterIntoBuffer(),” which took the images as input, applied the filters, and copied the results into a destination buffer.
According to the researchers, the vulnerability susceptible function in “libwhatsapp.so” relies on the premise that all images, source and filtered, have the same dimensions and are in the same RGBA color format.
Considering that each RGBA pixel is stored as four bytes, a malignant image containing just one byte per pixel could be exploited to achieve an out-of-bounds recollection access because an out-of-bounds access is provided by reading and faking a source image four times larger than the allocated buffer.
According to WhatsApp, users are not expected to be impacted by the bug. WhatsApp is using an initial check on the source and filter images since version 188.8.131.52 to ensure that both images are RGBA, have four bytes per pixel, and cannot be read by unauthorized users!
3 Tips for Protection against App Bugs
What do these cyber threats do exactly? Hackers first call an innocent user using the WhatsApp bug to start the scheme. The attacker can use the phone call to propagate malicious software on the device regardless of whether the user answers. The crooks then can spy on the victim’s device, most likely without their knowledge.
WhatsApp has already released a patch that fixes the bug, and users should update their apps immediately to get rid of the bug. The fact that messaging apps and the crucial information they contain don’t necessarily meet the definition of secure doesn’t mean you shouldn’t pay close attention to security now and in the future. Hence, here are a few steps to take when it comes to security:
- Enable auto-updates: Every application or platform, regardless of its type, should be kept up-to-date, as new versions typically include fixes for issues. With automatic updates, you are always on the cutting edge of security.
- Share information selectively: Sharing personal information is risky when you talk with other WhatsApp users or on other messaging platforms. If your device becomes compromised with spyware or other malware, your financial information or other sensitive details can be stolen.
- Keep an eye out: Make sure you report any bugs you encounter on your phone so that you can prevent any malware from being installed on your device.
This Is How You Can Report A WhatsApp Bug Now!
In its messaging app, WhatsApp now lets users report bugs directly. This new feature appeared in the latest beta update for Android among the many new features WhatsApp appears to be working on. However, beta testers are the only ones who can access and use the feature. The app is currently developing the feature and will make it publicly available after the testing is completed.
WhatsApp is working on a feature that will allow users to report bugs within the app, according to Wabetainfo. According to the Wabetainfo report, “WhatsApp is currently enhancing its app to allow users to communicate with its technical support team. The first time you will be able to contact WhatsApp support is within the settings of WhatsApp.”
A new bugs report file feature has been added to the new “Contact us” section on the WhatsApp feature tracker. The app will also allow users to report issues with the app including device information. A user can submit a report in this section by filling out that text field, and if a problem is reported he can also enter the device information. Wabetainfo report states that WhatsApp can investigate based on details like system information and log files.
WhatsApp will reply to the user in a WhatsApp Support chat, allowing the user to contact the tech. WhatsApp will automatically close a conversation once the conversation is over. A remote technician’s chat session will automatically be marked as closed once the chat has ended, according to the features tracker.
Users can however submit bug reports and other complaints via WhatsApp’s support email address (firstname.lastname@example.org). Users will be able to file bug reports more easily when in-app support is introduced!
Identifying and Resolving Bugs in Applications
What is your experience with spotting bugs in software? Was something done about it? Many people are uncertain about careers in cybersecurity, but if you are considering one, you should research it!
Let’s start by discussing what a bug is. There is a software bug when a computer program or system produces an incorrect or unexpected result due to an error, flaw, or fault. Some of these effects may be very subtle whereas, in others, they may be so severe that they can break an entire system.
A bug isn’t always a cyber security issue. There are many different types of vulnerabilities, not all of which can be exploited by an attacker to steal data or execute remote code.
Generally, many of these bugs aren’t very dangerous, but some can lead to very serious consequences, such as the distribution of thousands of malicious programs to users, or the theft of large amounts of data. It may be your username and password, too!
Cyber security professionals are responsible for finding and fixing vulnerabilities so systems are safe and secure. Bugs should not be overlooked, but what you’re going to do with them and how you can proactively report them should be considered as well.
We have compiled our best tips on spotting, reporting, and fixing application flaws on how to follow a strong code of ethics and build up your expertise in this area.
- Bring the flaw to the owner’s attention
Decide on how to deal with the found bug. Your decision to report the bug to the owner of the application should be based on your ethical and responsible standards. Before claiming a credit or revealing the problem, it is important to give the owner of the software time to fix the problem.
- Explain in detail
Giving as much information to the vendor as possible is helpful. The vendor is more likely to fix the flaw if there is as much information as possible. Providing additional information about your operating system, such as Linux, Mac, or Windows, which browser you were using, and your version of the software are all helpful.
- Develop a step-by-step guide
The best way to find a bug is to make a step-by-step guide. The owner of the application will then be able to find it and work on it as efficiently as possible. An exact set of screenshots is always more useful than anything else. Better yet, you can send the vendor a sample file that triggers the vulnerability.
- Securely share your results
If you find that the information you found is valuable, you might consider sharing it on a secure channel. The first step you should take if you discover sensitive information is to speak with the vendor and ask how they would like you to share this information.
The Bottom Line
Security is never 100% secure, so it is possible to find bugs or defects. Having the ability to spot bugs early on is crucial if you want to work in cyber security or simply want to be safe!