WhatsApp just revealed these six critical security vulnerabilities
WhatsApp is putting all its cards on the table when it comes to bugs and security issues and reported six previously undisclosed vulnerabilities on a dedicated website.
WhatsApp new security advisory site
The team behind the world’s biggest chat application confirmed that it has fixed six previously undisclosed vulnerabilities. WhatsApp also announced a new dedicated security advisory site.
The advisory site will be used to inform WhatsApp more than two billion users worldwide about bugs and keep them updated on app security. WhatsApp has been criticised for its security measures in the past.
“We are very committed to transparency, and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts”.
Users can expect a comprehensive list of security updates, as well as associated Common Vulnerabilities and Exposures (CVEs) under WhatsApp new transparency initiative.
Improved security and transparency
The WhatsApp team said they take users’ security “very seriously” and will provide leading protections for users while they collaborate with experts from around to world “to stay ahead of potential threats”.
WhatsApp explained that it will conduct internal security reviews and “rely on automated detection systems to identify and fix potential issues proactively”. Keeping true to their word, WhatsApp revealed six security bugs.
The team explained that the six security vulnerabilities were patched. We’ll include all six patches as received from WhatsApp below.
One bug in particular (CVE-2020-1890) required no user interaction at all and could load malformed data on Android devices. Another bug, CVE-2019-11928, required input-validation from users.
Six recent WhatsApp vulnerabilities
CVE-2020-1894
A stack write overflow in WhatsApp for Android prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30 could have allowed arbitrary code execution when playing a specially crafted push to talk message.
CVE-2020-1891
A user controlled parameter used in video call in WhatsApp for Android prior to v2.20.17, WhatsApp Business for Android prior to v2.20.7, WhatsApp for iPhone prior to v2.20.20, and WhatsApp Business for iPhone prior to v2.20.20 could have allowed an out-of-bounds write on 32-bit devices.
CVE-2020-1890
A URL validation issue in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction.
CVE-2020-1889
A security feature bypass issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed for sandbox escape in Electron and escalation of privilege if combined with a remote code execution vulnerability inside the sandboxed renderer process.
CVE-2020-1886
A buffer overflow in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have allowed an out-of-bounds write via a specially crafted video stream after receiving and answering a malicious video call.
CVE-2019-11928
An input validation issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed cross-site scripting upon clicking on a link from a specially crafted live location message.
No comments: