WhatsApp details six previously undisclosed vulnerabilities in the platform

Hemani Sheth Mumbai | Updated on September 04, 2020 Published on September 04, 2020

WhatsApp said that it had fixed these vulnerabilities as soon as it discovered them and that no users were impacted

Found vulnerabilities that could exploit video calling, location message, sandbox renderer; said the bugs have been fixed

WhatsApp has revealed six previously undisclosed vulnerabilities in its service as part of its newly-published security advisory.

The Facebook-owned messaging service has created a dedicated page for its security advisories that details previously found vulnerabilities and security advisories for users.

“This advisory page provides a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE),” WhatsApp said.

Some vulnerabilities are found by the messaging service’s own security team, while others are reported under the Facebook Bug Bounty Program.

In a newly-published update for the year, the messaging service detailed various vulnerabilities that it had resolved, many of which could have allowed attackers to remotely access a user’s device or escalate privileges.

For instance, it found a stack overflow vulnerability that “could have allowed arbitrary code execution when playing a specially-crafted push to talk message.” The bug was found in the app’s Android version prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30.

Another vulnerability detailed by the platform was found in sticker messages.

“A URL validation issue in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction,” the update read.

It also found other vulnerabilities that could exploit features such as video calling, location message and sandbox renderer.

However, WhatsApp added that it had fixed these vulnerabilities as soon as it discovered them and that no users were impacted.

“Please note that the details included in CVE descriptions are meant to help researchers understand technical scenarios and does not imply users were impacted in this manner,” WhatsApp said.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on September 04, 2020
  1. Comments will be moderated by The Hindu Business Line editorial team.
  2. Comments that are abusive, personal, incendiary or irrelevant cannot be published.
  3. Please write complete sentences. Do not type comments in all capital letters, or in all lower case letters, or using abbreviated text. (example: u cannot substitute for you, d is not 'the', n is not 'and').
  4. We may remove hyperlinks within comments.
  5. Please use a genuine email ID and provide your name, to avoid rejection.