Facebook-owned WhatsApp has fixed six previously undisclosed vulnerabilities in its chat platform, revealing the move on a new dedicated security advisory site aimed at informing its more than 2 million users about bugs and keeping them updated on app security.
The site is part of an effort by WhatsApp to be more transparent about platform vulnerabilities to not just users, but also the security community, and patch them in a timely manner. The latter is something for which the company has been criticized in the past.
“We are very committed to transparency, and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts,” the company said in a post about the new site.
The advisory page will provide a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVEs), with descriptions aimed at helping researchers understand the impact of the bugs.
WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued and updates provided through respective app stores.
6 Security Bugs
WhatsApp got a head start on its new commitment to transparency with some disclosures, revealing six bugs that the company recently patched, before any evidence that they were exploited by threat actors, it said.
Some of the bugs could have been triggered remotely. One, CVE-2020-1890, was a URL-validation issue in Android versions of WhatsApp and WhatsApp Business for Android that could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction.
Other bugs required user interaction, such as CVE-2019-11928, an input-validation issue in some WhatsApp Desktop versions that could have allowed cross-site scripting if a user clicked on a link from a specially-crafted live location message.
WhatsApp said it will continue disclose and patch issues “as quickly as possible,” revealing that five of the six bugs were patched on the same day they were discovered, according to a published report. The last flaw took a bit more time – as in a few days – to fix, the company said.
Some of the bugs were discovered through the Facebook bug-bounty program, which also covers WhatsApp issues, while others were found during code reviews, or by company security staff and its own automated systems, according to the report.
More transparency from WhatsApp about platform flaws is certainly welcome, as last year the company disclosed a zero-day vulnerability only after hackers were already exploiting it to install spyware on people’s smartphones.
Facebook later sued Israeli company and creator of the Pegasus spyware NSO Group over the hack, alleging that it developed the surveillance code and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices. NSO has denied any wrongdoing in the matter.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.