Could a WhatsApp Image Filter bug expose our data to remote attackers?

0
237
WhatsApp Image Filter Bug

WhatsApp’s picture filter feature had a high-security flaw that could be used to send malicious photos through the app in order to obtain sensitive information from its memory. The vulnerability, however, has now been patched.

The issue, known as CVE-2020-1910 (CVSS score: 7.8), is a read/write out-of-bounds flaw that occurs when apps apply image filters on a rogue picture and send it to an unwary receiver. The changed image may provide access to valuable data stored in the app’s memory.

Using categorical image filters on specially crafted images and sending the resulting images could have resulted in users processing out-of-bounds edits and reading if no error occurred when bounds were checked within WhatsApp for Android prior to version 2.21.1.13, as well as WhatsApp Business for Android.

According to Check Point Research, which reported the issue to Facebook on November 10, 2020, toggling between several filters on Malignant GIF files on WhatsApp might cause them to crash.

The issue occurred during the application of a filter to the target buffer in a function named “applyFilterIntoBuffer(),” which took the photos as input, applied the filters, and copied the results into a destination buffer.

The vulnerability susceptible function in “libwhatsapp.so,” according to the researchers, is based on the assumption that all photos, source and filtered, have the same size and are in the same RGBA color format.

Because an out-of-bounds recollection access is supplied by reading and simulating a source image four times larger than the allocated buffer, a malicious image containing only one byte per pixel could be exploited to obtain an out-of-bounds recollection access.

The flaw is not expected to affect WhatsApp users, according to WhatsApp. Since version 2.21.1.13, WhatsApp has used an initial check on the source and filter pictures to ensure that both images are RGBA, have four bytes per pixel, and cannot be read by unauthorized users!

Three Tips for Avoiding App Bugs

What exactly do these cyber dangers do? To begin the plan, hackers utilize the WhatsApp bug to call an unsuspecting person. Regardless of whether the victim answers, the attacker can use the phone call to spread malicious software on the device. The crooks can then use the victim’s gadget to spy on them, most likely without their knowledge.

WhatsApp has already released a patch to solve the flaw, and users should upgrade their apps right once to get rid of it. The fact that messaging applications and the critical information they contain do not always satisfy the criteria of security does not mean that you should disregard security now and in the future. As a result, here are a few security precautions to take:

• Enable auto-updates: Every application or platform, regardless of kind, should be kept up to date, as new versions often include bug fixes. You are always on the cutting edge of security with automated upgrades.

• Share information selectively: Sharing personal information with other WhatsApp users or on other messaging services is unsafe. If your device is infected with spyware or other malware, your financial information or other sensitive information could be taken.

• Be on the lookout for: Make sure to report any bugs you find on your phone so that malware does not get installed on your device.

This Is How You Report A WhatsApp Bug Right Now!

WhatsApp’s messaging software now allows users to report bugs directly. Among the numerous new things WhatsApp looks to be working on, this new function came in the most recent beta update for Android. However, only beta testers get access to and usage of the feature. The functionality is currently being developed by the app and will be made public after testing is completed.

According to Wabetainfo, WhatsApp is working on a feature that would allow users to report defects within the programme. “WhatsApp is currently improving its software to allow users to contact with its technical support team,” according to the Wabetainfo source. The first time you will be able to contact WhatsApp help is through the app’s settings.”

A new bug report file functionality has been added to the WhatsApp feature tracker’s new “Contact us” section. Users will also be able to report difficulties with the app, including device details, within the app. By filling out that text area, a user can submit a report in this section, and if a problem is reported, he can also enter the device information. According to the Wabetainfo study, WhatsApp can investigate using details such as system information and log files.

WhatsApp will respond via a WhatsApp Support chat, allowing the user to contact the technician. When a chat is finished, WhatsApp will immediately close it. According to the features tracker, a remote technician’s chat session will be automatically marked as finished once the chat has ended.

However, users can send bug reports and other issues to WhatsApp’s support email address (support@whatsapp.com). When in-app support is introduced, users will be able to file bug reports more easily!

Detecting and Resolving Application Bugs

What is your experience with detecting software bugs? Is anything being done about it? Many people are unsure about employment in cybersecurity, but if you are interested, you should do your homework!

Let’s start with a definition of a bug. A software bug occurs when a computer programme or system generates an inaccurate or unexpected outcome as a result of an error, flaw, or fault. Some of these effects may be extremely subtle, but others may be strong enough to break an entire system.

A problem isn’t always a cause for concern in terms of cyber security. There are numerous kinds of vulnerabilities, not all of which can be used by an attacker to steal data or execute remote code.

Many of these flaws aren’t particularly dangerous in general, but some can have major repercussions, such as the distribution of thousands of malicious programmes to users or the theft of large quantities of data. It might also be your account and password!

Cyber security specialists are responsible for identifying and repairing vulnerabilities in systems to ensure their safety and security. Bugs should not be neglected, but what you plan to do with them and how you will report them should also be considered.

We’ve assembled our best ideas for detecting, reporting, and repairing application defects in order to adhere to a strict code of ethics and increase your knowledge in this field.

1. Call the owner’s attention to the fault.

Determine how to handle the discovered bug. Your decision to notify the application’s owner of the defect should be based on your ethical and responsible standards. Before claiming the credit or publicizing the problem, it is critical to give the software’s owner time to rectify the problem.

2. Describe in detail

Giving the seller as much information as possible is beneficial. If the vendor has as much information as possible, he or she is more likely to rectify the flaw. Additional information about your operating systems, such as Linux, Mac, or Windows, the browser you were using, and the version of the software you were running are all beneficial.

3. Create a step-by-step guide.

Making a step-by-step tutorial is the best approach to finding a bug. The application’s owner will then be able to locate it and work on it as quickly as feasible. A precise series of screenshots is always more helpful than anything else. Even better, send the vendor a sample file that exploits the issue.

4. Share your findings in a secure manner.

If you believe the information you discovered is valuable, you should consider sharing it over a secure channel. If you uncover sensitive information, the first thing you should do is contact the vendor and ask how they would like you to disclose it.

In conclusion

Because security is never completely safe, faults or defects are possible. Being able to detect problems early on is critical if you want to work in cyber security or simply stay safe!