WhatsApp, the popular messaging app, recently discovered a severe security vulnerability that could result in sensitive information leakage from WhatsApp’s memory.
Although the company already has patched the exploit in February, it shows that even end-to-end encryption can be bypassed by attackers.
Check Point Research (CPR), a security research firm, has discovered the vulnerability. It requires “complex steps and extensive user interaction” to be achieved. If performed properly, the attackers can read sensitive data from the WhatsApp’s memory, the security firm claims.
About 55 billion messages are transmitted daily over WhatsApp, with 4.5 billion pictures and 1 billion daily videos shared. The vulnerability was triggered when a user opened an attachment containing a maliciously crafted image file, tried using a filter, and then sent the image back to the attacker with the applied filter.
Luckily, it appears that the attackers did not have enough time to use this vulnerability to collect data from WhatsApp users.
On November 10, 2020, CPR notified WhatsApp about the vulnerability, and the issue was fixed earlier this year. To prevent the attack, WhatsApp version 126.96.36.199 now includes two techniques to validate the integrity of a modified image with filters.
In a statement, WhatsApp appreciated the work of CPR, claiming that the app’s end-to-end encryption remains secure and nobody needs to worry about it.
To keep yourself protected, we recommend users keep up-to-date with their apps and operating systems, download updates when available, report suspicious messages, or reach out to customer care if they experience any issues.
WhatsApp creates a dedicated Security Advisories page to list all the vulnerabilities that have been identified and fixed for the instant messaging service.