WhatsApp Flaw Casts Doubt on End-to-End Encryption
A recently fixed WhatsApp security vulnerability that, if exploited, could cause data leakage underscores the fact that hackers can bypass end-to-end encryption with some machinations.
WhatsApp included a patch for the flaw in its February 2021 Security Advisory Report and, in a statement, assured Check Point researchers Dikla Barda and Gal Elbaz—who analyzed the Out-Of-Bounds read-write vulnerability in a blog post—this week that it had “no reason to believe users would have been impacted by this bug” and that users should feel confident “that end-to-end encryption continues to work as intended and people’s messages remain safe and secure.”
The messaging app company pointed to the “multiple steps a user would have needed to take” before the vulnerability could be exploited. Indeed, Check Point acknowledged that the threat “remains theoretical, and would have required complex steps and extensive user interaction in order to exploit” but stresses that doing so “could have allowed an attacker to read sensitive information from WhatsApp memory.”
The vulnerability is related to the WhatsApp image filter functionality and “was triggered when a user opened an attachment that contained a maliciously crafted image file, then tried to apply a filter, and then sent the image with the filter applied back to the attacker,” they said.
The researchers zeroed in on how WhatsApp processes and sends images, using Check Point’s AFL fuzzer “to generate malformed files.” Switching between several filters on crafted GIF files, they caused WhatsApp to crash.
After connecting the phone to its lab and capturing the crash location via adb logcat, Check Point did some reverse engineering to review the crashes, identifying one as a memory corruption. At that point, the researchers reported the finding to WhatsApp and the vulnerability was named CVE-2020-1910 Heap-Based out-of-bounds read and write.
In a deeper dive, Barda and Elbaz reverse-engineered the libwhatsapp.so library using a debugger to analyze the crash’s root cause. “The problem is that both destination and source images are assumed to have the same dimensions and also the same format RGBA (meaning each pixel is stored as 4 bytes, hence the multiplication by 4),” the researchers wrote. “However, there are no checks performed on the format of the source and destination images. Therefore, when a maliciously crafted source image has only 1 byte per pixel, the function tries to read and copy 4 times the amount of the allocated source image buffer, which leads to an out-of-bounds memory access.”
Burak Agca, an engineer at Lookout noted that Lookout has “seen multiple variants of the same attack,” and added that attackers “typically execute an exploit chain taking advantage of multiple vulnerabilities across the app and the operating system in tandem.” He pointed to the first such discovered chain that exploited a vulnerability, which has since been patched, in the Safari browser to break out of the application sandbox. After this, multiple operating system vulnerabilities–also since patched–were exploited to elevate privileges and install spyware without the user’s knowledge.
The WhatsApp exploit, he said, “seems to exhibit a similar behavior, and the end-to-end details of these types of exploits came under scrutiny by the security community.”
For individuals and enterprises like, Agca said, “it is clear relying on WhatsApp saying its messaging is encrypted end-to-end is simply not enough to keep sensitive data safe.”
He applauded WhatsApp for the speed and thoroughness of upgrades for this and other vulnerabilities. “WhatsApp continuously updates its applications in order to address these security issues,” Agca said. “Updates to their apps patch the vulnerability in question, and, in addition, they release a server-side fix to prevent any version of the app from being exploited.”
But consumers and organizations need to do their part to remain secure on the app. “WhatsApp users can be proactive and download a mobile security solution that reduces the risk of falling victim to WhatsApp scams—especially ones that try to phish your credentials or quietly install malware,” said Agca.
