WhatsApp patches vulnerability in image filter function that could have led to data exposure
Ireland fines WhatsApp 225m euros for breaching EU privacy laws
The vulnerability was reported to WhatsApp by cybersecurity firm Check Point Research, and it existed within the image filter function of WhatsApp for Android and WhatsApp Business for Android that allows users to add filters to their images.
The Facebook-owned company fixed the security issue after it was reported by Check Point researchers and claimed that there was no evidence that the vulnerability was ever abused.
Called “Out-Of-Bounds read-write vulnerability”, the issue was disclosed to WhatsApp by Check Point Research on November 10, 2020. WhatsApp took some time in fixing the bug and issued a patch in February. It was provided to end-users through version 126.96.36.199 of both WhatsApp for Android and WhatsApp Business for Android apps.
Researchers at Check Point Research were able to discover the vulnerability that is technically a memory corruption issue while looking at the way WhatsApp processes and sends images on its platform. During the research, it was found that the image filter function of the messaging app crashes when it was used with some specially-designed GIF files. That brought the researchers to the point from where they were able to spot the loophole.
According to Check Point Research, the vulnerability could be triggered after a user opens an attachment containing a maliciously crafted image file, tries to apply a filter, and then sends the image with the filter applied back to the attacker. The researchers, thus, noted that hackers would have required “complex steps and extensive user interaction” to exploit the issue.
However, if it could be successfully exploited, the vulnerability is claimed to allow hackers to read sensitive information from WhatsApp memory that include private messages and previously shared images and videos.
“Once we discovered the security vulnerability, we quickly reported our findings to WhatsApp, who was cooperative and collaborative in issuing a fix. The result of our collective efforts is a safer WhatsApp for users worldwide,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point, in a prepared statement.
“People should have no doubt that end-to-end encryption continues to work as intended and people's messages remain safe and secure,” WhatsApp said in its statement given to Check Point Research. “This report involves multiple steps a user would have needed to take and we have no reason to believe users would have been impacted by this bug. That said, even the most complex scenarios researchers identify can help increase security for users.”
Ireland's Data Protection Commission was entrusted with the case because Facebook's European headquarters are situated in the country.
"And following this reassessment the DPC has imposed a fine of 225 million euros ($267 million) on WhatsApp," the commission said, by far the largest penalty it has ever issued to a company, dwarfing the 450,000-euro fine imposed on Twitter last year.
As Ireland hosts the regional headquarters of a number of major tech players such as Apple, Google and Twitter, the DPC has been largely responsible for policing adherence to the EU's landmark General Data Protection Regulation (GDPR) charter.
But Ireland has come under pressure for not taking a firm enough line against tech giants, who are generally understood to be drawn to the country by its low corporate tax rate of 12.5 percent.
WhatsApp said it would appeal the decision.
"We disagree with the decision today" it said in a statement, calling the penalties "entirely disproportionate."
- 'Dissuasive fine' -
The DPC launched the WhatsApp probe in December 2018 to examine whether the messaging app "discharged its GDPR transparency obligations" with regard to telling users how their data would be processed between WhatsApp and other Facebook companies.
In an initial finding submitted to other European regulators for approval last December, the DPC proposed imposing a fine of between 30 and 50 million euros, but a number of national regulators rejected the figure, triggering the launch of a dispute resolution process in June.
Last month, the European Data Protection Board (EDPB) instructed the DPC to increase the fine, with Germany's regulator leading the calls for the penalty to be higher.
The fine had to be "effective, dissuasive and proportionate," it said.
Hailed as a potent weapon to bring tech titans to heel, the GDPR endowed national watchdogs with cross-border powers and the possibility to impose sizeable fines for data misuse.
But Germany's data protection commissioner, Ulrich Kelber, in March wrote an open letter criticising the DPC for the "extremely slow" way it handled GDPR complaints.