Previously undisclosed WhatsApp vulnerabilities revealed on new security site

WhatsApp recently revealed six previously undisclosed vulnerabilities which were now fixed by the company. The vulnerabilities by WhatsApp were reported on a dedicated security advisory website that would now serve as the new resource to provide a comprehensive list of WhatsApp security updates along with associated Common Vulnerabilities and Exposures (CVE).

The company stated that five of the six vulnerabilities were immediately fixed on the same day, while the remaining bug took few days to be solved. Though some bugs could have been triggered remotely, WhatsApp stated that it didn’t find any evidence of hackers who were actively exploiting the vulnerabilities. Around one-third of the newly, erupting vulnerabilities were reported through the company’s Bug Bounty Program, while some others were discovered in routine code reviews and through automated systems.

WhatsApp is one of the most popular apps across the world, with more than two billion users existing around the world. However, the platform is also a consistent target for hackers, who regularly try to find and exploit vulnerabilities in WhatsApp.

The new security advisory website was launched as part of WhatsApp’s efforts to be more transparent to its users about vulnerabilities that target the platform and in response to the user feedback. WhatsApp stated that the WhatsApp community has often been asking for a centralized location to track the security vulnerabilities, as WhatsApp always couldn’t detail its security advisories in an app’s release notes due to different app store policies.

The new dashboard of the website will update monthly or sooner than that if WhatsApp has to warn users of any vulnerability attack. It would also give an archive of past CVEs that dates back to 2018. While the main focus will be on CVEs located in WhatsApp’s codes, if the company files any CVE with public database MITRE for any vulnerability it came across in third-party code, it will also highlight that on the WhatsApp Security Advisory page.

In 2019, WhatsApp went public after fixing a bug vulnerability that was allegedly used by Israeli spyware maker NSO Group. The company sued the spyware maker, stating that it used the vulnerability to deliver its Pegasus spyware to around 1,400 devices covertly. This also included 100+ human rights defenders and journalists. NSO, however, denied the allegations.

John Scott-Railton, a senior researcher from Citizen Lab, whose work included investigating the NSO Group, welcomed the news. “This is good news, and we know that bad elements use extensive resources to acquire and weaponize vulnerabilities. WhatsApp making this move and sending the signal that it’s going to monitor, identify and patch in this way regularly is a good way to raise the cost for bad elements.”

In a blog post, WhatsApp stated: “We are deeply committed to preserving the transparency, and this resource and update is intended to help the broader technology community benefit from the latest security efforts. We strongly encourage all our users to ensure that they regularly update their WhatsApp from respective app stores to update their mobile operating systems.” Facebook also stated that it codified its vulnerability disclosure policy, which allows it to warn developers of security vulnerabilities among third-party code that Facebook and WhatsApp rely on.