Facebook-owned WhatsApp has revealed six vulnerabilities in the app that could have allowed attackers to push malicious codes remotely through images, URLS and video calls. WhatsApp claims that these vulnerabilities are now fixed but there is no official information as to whether users were impacted or not.
6 Security Bugs
- WhatsApp got a head start on its new commitment to transparency with some disclosures, revealing six bugs that the company recently patched, before any evidence that they were exploited by threat actors, it said.
- Some of the bugs could have been triggered remotely. One, CVE-2020-1890, was a URL-validation issue in Android versions of WhatsApp and WhatsApp Business for Android.
- Other bugs required user interaction, such as CVE-2019-11928, an input-validation issue in some WhatsApp Desktop versions that could have allowed cross-site scripting if a user clicked on a link from a specially-crafted live location message.
- WhatsApp said it will continue disclose and patch issues “as quickly as possible,” revealing that five of the six bugs were patched on the same day they were discovered, according to a published.
- Some of the bugs were discovered through the Facebook bug Bounty program, which also covers WhatsApp issues, while others were found during code reviews, or by company security staff and its own automated systems, according to the report.
- More transparency from WhatsApp about platform flaws is certainly welcome, as last year the company disclosed a zero day vulnerability only after hackers were already exploiting it to install spyware on people’s smartphones.
- Facebook later sued Israeli company and creator of the Pegasus spyware NSO Group over the hack, alleging that it developed the surveillance code and used vulnerable whatsapp server to send malware to approximately 1,400 mobile devices. NSO has denied any wrongdoing in the matter.