Previously undisclosed WhatsApp vulnerabilities revealed on new security site
WhatsApp recently revealed six previously undisclosed vulnerabilities which were now fixed by the company. The vulnerabilities by WhatsApp were reported on a dedicated security advisory website that would now serve as the new resource to provide a comprehensive list of WhatsApp security updates along with associated Common Vulnerabilities and Exposures (CVE).
The company stated that five of the six vulnerabilities were
immediately fixed on the same day, while the remaining bug took few days to be
solved. Though some bugs could have been triggered remotely, WhatsApp stated
that it didn’t find any evidence of hackers who were actively exploiting the
vulnerabilities. Around one-third of the newly, erupting vulnerabilities were
reported through the company’s Bug Bounty Program, while some others were
discovered in routine code reviews and through automated systems.
WhatsApp is one of the most popular apps across the world,
with more than two billion users existing around the world. However, the
platform is also a consistent target for hackers, who regularly try to find and
exploit vulnerabilities in WhatsApp.
The new security advisory website was launched as part of
WhatsApp’s efforts to be more transparent to its users about vulnerabilities
that target the platform and in response to the user feedback. WhatsApp stated
that the WhatsApp community has often been asking for a centralized location to
track the security vulnerabilities, as WhatsApp always couldn’t detail its security
advisories in an app’s release notes due to different app store policies.
The new dashboard of the website will update monthly or
sooner than that if WhatsApp has to warn users of any vulnerability attack. It
would also give an archive of past CVEs that dates back to 2018. While the main
focus will be on CVEs located in WhatsApp’s codes, if the company files any CVE
with public database MITRE for any vulnerability it came across in third-party
code, it will also highlight that on the WhatsApp Security Advisory page.
In 2019, WhatsApp went public after fixing a bug
vulnerability that was allegedly used by Israeli spyware maker NSO Group. The
company sued the spyware maker, stating that it used the vulnerability to
deliver its Pegasus spyware to around 1,400 devices covertly. This also
included 100+ human rights defenders and journalists. NSO, however, denied the
allegations.
John Scott-Railton, a senior researcher from Citizen Lab,
whose work included investigating the NSO Group, welcomed the news. “This is
good news, and we know that bad elements use extensive resources to acquire and
weaponize vulnerabilities. WhatsApp making this move and sending the signal
that it’s going to monitor, identify and patch in this way regularly is a good
way to raise the cost for bad elements.”
In a blog post, WhatsApp stated: “We are deeply committed to
preserving the transparency, and this resource and update is intended to help
the broader technology community benefit from the latest security efforts. We
strongly encourage all our users to ensure that they regularly update their
WhatsApp from respective app stores to update their mobile operating systems.”
Facebook also stated that it codified its vulnerability disclosure policy,
which allows it to warn developers of security vulnerabilities among
third-party code that Facebook and WhatsApp rely on.
Comments
Post a Comment