A now patched vulnerability in the Facebook Inc.-owned WhatsApp messaging service could have led to user data being exposed.

Discovered by researchers at Check Point Software Technologies Ltd., the vulnerability is described as an “out-of-bounds read-write vulnerability.” While the flaw required complex steps to exploit, it could have allowed an attacker to read sensitive information from WhatsApp memory.

The vulnerability was discovered in November with the Check Point researchers informing WhatsApp at the time. The vulnerability was then patched in WhatsApp version 2.21.1.13 released Jan. 22.

The vulnerability relates to a memory corruption issue in how WhatsApp processes and sends images on its platform. It was found that the image filter function in the app crashed when it was used with some specifically designed GIF files, leading the researchers to the point where they discovered the vulnerability.

According to the researchers, the vulnerability could be triggered after a user opens an attachment with a maliciously crafted image, tries to apply a filter and then sends the image with the filter applied back to the attacker. That scenario is unlikely hence the description of the steps being complex, but likewise if the attacker was using a hijacked account from a victim’s friend, the likelihood, while still slim, increases.

“The exploitation of vulnerabilities continues to challenge Facebook’s reputation and image just as we have seen with previous incidents,” Burak Agca, an engineer at endpoint-to-cloud security company Lookout Inc., told SiliconANGLE. “WhatsApp continuously updates its applications in order to address these security issues. Updates to their apps patch the vulnerability in question, and in addition, they released a server-side fix to prevent any version of the app from being exploited.”

Richard Melick, director, product strategy for endpoint security at mobile security firm Zimperium Inc., noted that “as we have seen from high profile mobile cybersecurity incidents over the years, communication apps have been successfully targeted by malicious actors with the ultimate goal of data theft, compromise and espionage.”

Melick added that “apps like WhatsApp have become absolutely critical to our personal and professional lives, bridging communication gaps worldwide between friends, families, co-workers, and more. But the amount of personal and private data shared on these apps is staggering and we must be vigilant to what we share across the communication tools and what is stored and where.”

The disclosure of the vulnerability came on the same day Ireland’s privacy regulator fined Facebook $267 million for failing to provide WhatsApp users with sufficient information on how it collects and processes their data.

Photo: haberlernet NET/Flickr