WhatsApp Reveals 6 Recently Fixed Bugs That Could’ve Resulted in Chaos
WhatsApp has officially revealed 6 recently fixed bugs on their security advisory website. Most of the bugs were unknown prior to the reveal but it did have the potential to cause a lot of issues for users across the globe. In case you’re curious about it, let’s check it out.
6 Recently Fixed Bugs on WhatsApp
According to WhatsApp, 5 out of the 6 bugs were fixed in the same day while the remaining one took at least a couple of days to properly solve it. Some of those bugs could be trigger remotely, such as CVE-2020-1890, which is a URL-validation issue in Android versions of both the consumer and business versions of the app. A sticker message which contains malformed data could load an image from a sender-controlled URL without the need for user interaction, potentially forcing receivers to accept malicious data.
Another notable bug is CVE-2019-11928, which is an input-validation issue in certain WhatsApp Desktop version. This bug inadvertently allowed cross-site scripting if users clicked on a link from a specially-crafted live location message.
Roughly a third of the bugs were reported through their Bug Bounty program while the rest were discovered during routine code reviews and automated systems. Given that the messaging app has over 2 billion users worldwide, it’s a consistent target for hackers who constantly find and exploit vulnerabilities on it.
The 6 recently fixed bugs on WhatsApp was reported on their security advisory website, providing an extensive list of security updates and associated Common Vulnerabilities and Exposures (CVE), as part of the company’s commitment towards transparency. This will also make their large user base more inclined to update to the latest version whenever it’s available. The company will update the database on a monthly basis, and sometimes sooner than usual if it’s threatening enough.
Previously, WhatsApp publicly disclosed a bug fix after reports of it being allegedly used by Israelian spyware maker NSO Group, and sued them shortly after by stating that the company secretly used the messaging platform to deliver Pegasus spyware to over 1,400 devices, including more than 100 human rights defenders and journalists. NSO Group still denies having anything to do with the issue.
We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.
Company Blog Post
Pokdepinion: I’m glad that nothing bad, or at least nothing major, came out of it. These things, even when they appear small, have the potential to escalate to such a big, complicated issue.