WhatsApp has published a webpage to detail six CVEs that its security team discovered and fixed. As Facebook (the owner of WhatsApp) points out, none of these flaws were detected as being under exploitation in the wild, so the fixes came before the risk for two billion users became real. That was particularly relieving, considering that some of the discovered vulnerabilities could have been exploited remotely and wouldn’t require particularly specialized knowledge or an extensive set of pre-conditions to do it.
The six flaws are the following:
CVE-2020-1894: Stack write overflow affecting WhatsApp for Android 2.20.35 (and prior) and WhatsApp for iOS 2.20.30 (and prior). Exploitation could come through a specially crafted “push to talk” message.
CVE-2020-1891: Out of bounds write of 32-bit devices affecting WhatsApp Android 2.20.17 and WhatsApp iOS 2.20.20 and prior.
CVE-2020-1890: URL validation flaw that could be exploited through a malicious sticker message that loads an image from a location controlled by the sender. Affects WhatsApp for Android 2.20.11 and prior.
CVE-2020-1889: A sandbox-escape in the Electron renderer that would be executed remotely. This one affects WhatsApp Desktop 0.3.4932 and previous versions.
CVE-2020-1886: A buffer overflow vulnerability triggered via an out-of-bounds write caused through a specially crafted video stream. Affects WhatsApp for Android 2.20.11 and all versions before it.
CVE-2019-11928: An input validation flaw affecting the Desktop version of WhatsApp, from 0.3.4932 and previously. An attacker could have exploited it by using a specially crafted live location message, trick the victim into clicking a link, and create a cross-site scripting condition.
Five of the above were fixed on the same day of their discovery, while the sixth took another couple of days to remediate completely. Two of the bugs were found and reported by researchers who participate in Facebook’s Bug Bounty Program. At the same time, the other four were unearthed by the company’s internal security teams and the automated scanners deployed by them.
If you’re using WhatsApp, updating to the latest available version should be non-negotiable, and this applies continually and not just on this occasion. Remember, these flaws were identified and fixed silently, so people got the updates previously without knowing what was fixed or being able to fully appreciate the importance of updating their WhatsApp clients.
This is yet another reminder of why keeping the software tools you’re using up to date is so crucially important. When we’re talking about end-to-end encrypted communications platforms like WhatsApp, this is even more critical.