WhatsApp just admitted six dangerous issues with its chat app

WhatsApp fans have been warned about six major vulnerabilities that have been discovered in the world’s most popular chat app. This month the Facebook-owned messenger has begun a more open approach to informing users about flaws that have been uncovered in the hugely popular iOS and Android download. And to start with WhatsApp has revealed a series of issues which involved Stickers, video calls and the WhatsApp Desktop app.

On a newly formed dedicated security website, WhatsApp outlined the six vulnerabilities – five of which were fixed in a single day, while the other bug took longer to resolve.

WhatsApp said that some of the bugs could be remotely triggered, but they have found no proof that hackers managed to actively exploit the vulnerabilities.

A number of bugs were reported through WhatsApp’s bug bounty programme, which rewards security experts outside of the company for discovering security vulnerabilities.

While others were discovered by routine code reviews and by using automated systems.

One flaw, which WhatsApp labelled CVE-2020-1890, revolved around a user being sent “deliberately malformed data to load an image from a sender-controlled URL”.

Another, named CVE-2020-1891, affected video calls in different versions of WhatsApp for Android, iOS and WhatsApp Business.

While the CVE-2020-1886 vulnerability could have been exploited after an unsuspecting WhatsApp user picked up “a malicious video call”.

And the CVE-2019-11928 flaw affected WhatsApp Desktop users that clicked on “a link from a specially crafted live location message”.

Outlining their approach to tackling security threats, WhatsApp on their new security advisory website said: “If a bug is identified, we work to fix the issue as quickly as possible. In keeping with industry best practices, we will not disclose security issues until after we have fully investigated any claims, issued any necessary fixes, and made updates widely available through the respective app stores. We use this same approach for all WhatsApp products.

“If we ever fix an issue in one of our products, we also work to ensure that it’s addressed in any other products that may rely on the same code.

“We follow guidance provided by operating system manufacturers for on-device storage and we rely upon the security of operating systems and APIs. WhatsApp also relies on numerous code libraries developed by third parties for various features and we will annotate security updates for these libraries so other developers can make necessary updates.

“It is our policy to notify developers and providers of mobile operating systems about security issues that WhatsApp may identify.

“We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.”

The news comes as WhatsApp users have been put on alert about another threat which could see a “crash code” being run that will cause the chat app to self-destruct.

The threat was discovered by the WhatsApp sleuths at WABetaInfo who said the code is run after a user clicks of a mysterious looking message.

WABetaInfo explained: “A contact might send a message that contains many weird characters. If you read them entirely, they have no sense, but WhatsApp might interpret the message in a wrong way.

“Sometimes WhatsApp is also unable to render the message totally, because its structure is so weird: the combination of these characters create a situation where WhatsApp isn’t able to process the message, determining an infinite crash. Infinite crash means that, when you open WhatsApp, it is frozen and it crashes. If you try to open the app again, it still crashes.”

Source: Read Full Article