27 September 2023

WhatsApp shows its vulnerable sides

Start the conversation

Zack Whittaker and Sarah Perez* say Facebook-owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed.


The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).

WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate.

Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.

Around one-third of the new vulnerabilities were reported through the company’s Bug Bounty Program, while the others were discovered in routine code reviews and by using automated systems, as would be expected.

WhatsApp is one of the world’s most popular apps with more than two billion users around the world.

But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform.

The new website was launched as part of the company’s efforts to be more transparent about vulnerabilities targeting the messaging app, and in response to user feedback.

The company says the WhatsApp community has been asking for a centralised location for tracking security vulnerabilities, as WhatsApp isn’t always able to detail its security advisories in an app’s release notes due to app store policies.

The new dashboard will update monthly, or sooner if it has to warn users of an active attack.

It will also offer an archive of past CVEs dating back to 2018.

While the website’s main focus will be on CVEs in WhatsApp’s code, if the company files a CVE with the public database MITRE for a vulnerability it found in third-party code, it will denote that on the WhatsApp Security Advisory page, as well.

Last year, WhatsApp went public after fixing a vulnerability allegedly used by Israeli spyware maker NSO Group.

WhatsApp sued the spyware maker, alleging the company used the vulnerability to covertly deliver its Pegasus spyware to some 1,400 devices — including more than 100 human rights defenders and journalists.

NSO denied the allegations.

John Scott-Railton, a senior researcher at Citizen Lab, whose work has included investigating NSO Group, welcomed the news.

“This is good, and we know that bad actors make use of extensive resources to acquire and weaponise vulnerabilities,” he told TechCrunch.

“WhatsApp sending the signal that it’s going to move regularly to identify and patch in this way seems like yet another way to raise the cost for bad actors.”

In a blog post, WhatsApp said: “We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts.”

“We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.”

Facebook also said that it has codified its vulnerability disclosure policy, allowing the company to warn developers of security vulnerabilities in third-party code that Facebook and WhatsApp rely on.

*Zack Whittaker is the security editor at TechCrunch. He can be contacted at [email protected]. Sarah Perez has worked as a reporter for TechCrunch since August 2011.

This article first appeared at techcrunch.com

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.