WhatsApp has revealed six previously undisclosed vulnerabilities in its service as part of its newly-published security advisory.

The Facebook-owned messaging service has created a dedicated page for its security advisories that details previously found vulnerabilities and security advisories for users.

“This advisory page provides a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE),” WhatsApp said.

Some vulnerabilities are found by the messaging service’s own security team, while others are reported under the Facebook Bug Bounty Program.

In a newly-published update for the year, the messaging service detailed various vulnerabilities that it had resolved, many of which could have allowed attackers to remotely access a user’s device or escalate privileges.

For instance, it found a stack overflow vulnerability that “could have allowed arbitrary code execution when playing a specially-crafted push to talk message.” The bug was found in the app’s Android version prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30.

Another vulnerability detailed by the platform was found in sticker messages.

“A URL validation issue in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction,” the update read.

It also found other vulnerabilities that could exploit features such as video calling, location message and sandbox renderer.

However, WhatsApp added that it had fixed these vulnerabilities as soon as it discovered them and that no users were impacted.

“Please note that the details included in CVE descriptions are meant to help researchers understand technical scenarios and does not imply users were impacted in this manner,” WhatsApp said.

comment COMMENT NOW