It seems that Facebook wants to be more transparent in case of security flaws in its services. That’s why recently, it has launched a new WhatsApp advisory website on September 3, where they disclosed 6 new WhatsApp vulnerabilities in Android and desktop that allows threat actors to execute arbitrary code remotely.
In this WhatsApp Security Advisory blog, the company will list all the newly discovered and fixed vulnerabilities in WhatsApp to keep their services more transparent to users.
The CVE IDs are mainly used by the security researchers to track the bugs, and the security companies to alert their clients about the flaw detected.
According to the WhatsApp report, among these six bugs, one of the bugs was fixed on the same day when detected, and they also claimed that the hackers have not yet able to exploit these vulnerabilities.
Apart from all these things, many of the bugs are discovered with the help of the “Bug Bounty program,” while the experts found the rest in routine code checkups.
6 WhatsApp Vulnerabilities Detected
The security experts have detected six bugs, among them, four bugs are detected in Android, while the rest of two bugs are detected in desktop versions; here they are mentioned below:-
- CVE-2020-1894: A stack write overflow Bug in WhatsApp Business for Android
- CVE-2020-1891: A user-controlled parameter used in a video call in WhatsApp for Android
- CVE-2020-1890: A URL validation issue in WhatsApp for Android
- CVE-2020-1889: security feature bypass issue in WhatsApp Desktop versions
- CVE-2020-1886: A buffer overflow in WhatsApp for Android
- CVE-2019-11928: An input validation issue in WhatsApp Desktop versions
It’s a stack write overflow in WhatsApp, and it enables the attackers to execute and exploit arbitrary code while playing an especially crafted push to talk message. This flaw affects the WhatsApp version 2.20.35 and below ones for Android, WhatsApp Business version 2.20.20 and below ones for Android, WhatsApp for iPhone in version 2.20.30 and earlier, and WhatsApp Business for iPhone in version 2.20.30 and earlier.
This is a user-controlled parameter that is used in a video call in WhatsApp. This flaw affects the WhatsApp for Android before the version 2.20.17, WhatsApp Business for Android before the version 2.20.7, WhatsApp for iPhone before the version 2.20.20, and WhatsApp Business for iPhone before the version 2.20.20. Not only this, but it also enables an out-of-bounds to write on 32-bit devices.
This is a URL validation that has been issued in WhatsApp, and this flaw affects the Android before the version 2.20.11 and WhatsApp Business for Android before the version v2.20.2. It made the recipient of a sticker message carrying designed twisted data to store an image from a sender-controlled URL without any user cooperation.
This is a security feature bypass issue in WhatsApp, and it mainly affects the Desktop versions before version 0.3.4932. It allows for sandbox evasion in electron and escalation of right if blended with a remote code execution vulnerability inside the sandboxed renderer method.
It is a buffer overflow in WhatsApp, which affects the Android before the version 2.20.11 and WhatsApp Business for Android before the version 2.20.2, and it also allowed an out-of-bounds to write through a specially crafted video stream after getting and then responding a malicious video call.
This flaw is an input validation issue in WhatsApp that affects the Desktop versions before version 0.3.4932, and it also enabled cross-site scripting (XSS)upon clicking on a link from a specifically crafted live location message.
Apart from this, on several occasions, we have seen how the attackers have targeted WhatsApp. The Israeli surveillance company, NSO Group, attacked WhatsApp in 2019, where they exploit a bug in WhatsApp’s video calling feature to get entry and install spyware on users’ smartphones.
WhatsApp Asserted that its new security advisory portal would be updated each month. But, if they will found any severe vulnerability, then they will update this portal immediately to notify and alert all its users. As this will definitely boost the company to keep its services transparent and enhance the security of its services and users.
Follow in Twitter for Daily cyber security & hacking news updates: Cyber Security News