Facebook posted a security advisory for a buffer overflow vulnerability in its subsidiary WhatsApp that could allow an attacker to install Pegasus spyware on victims devices.
The Israeli NSO group developed spyware allows its users to turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data and can be exploited by injecting the malware by simply calling the target without a trace and without the need for the victim to answer their device.
The vulnerability affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” said WhatsApp in a statement.
StarLeaf CTO William MacDonald called the vulnerability an extremely severe security hole for similar reasons.
“Despite instant messaging becoming a growing part of our culture of communication, social platforms are often unwisely used for the businesses,” MacDonald said. “This example clearly demonstrates that there are many organizations aggressively hunting for flaws in consumer applications for commercial gain and for use by third parties.”
MacDonald added that because consumer apps are not designed for business usage, it is the responsibility of every employee to only adopt the right solutions to minimize risk and protect users’ data (company & customer).
Wandera Vice President of Engineering Mike Campin considered the attack “deeply worrying” and said it “shows how even the most trusted mobile apps and platforms can be vulnerable.”
“While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many,” Campin said.
Campin added that despite the app not typically being used as a corporate messaging application, it is widely used on both employees’ personal devices and on corporate-issued devices, and once exploited could grant a threat actor access to all of the data on a user’s phone potentially jeopardizing corporate networks as well.
“While it’s less likely that the average citizen would be targeted with this kind of spyware, WhatsApp is used by many people for whom the privacy of their conversations is a life and death matter,” said Tripwire Vice President of Product Management and Strategy Tim Erlin.
“No software is perfectly secure and vulnerabilities like these are going to exist,” he said. “The response is what matters.”
Fortunately, the vulnerability has been patched and users are urged to update as soon as possible.
Regardless of the vulnerability’s disclosure there may be more problems on the horizon Kevin Stear, lead threat analyst at JASK, warned.
“Recent censorship (e.g. China) and at-scale exploitation scares (e.g. CVE-2019-3568) have raised questions about both the application’s security and more specifically its actual efficacy at privacy protection,” Stear said.“The exploitation of WhatsApp and other encrypted messaging applications has long been a focus for almost every nation-state with advanced cyber capabilities and operations, and it’s extremely likely that a number of exploitation methods that haven’t been made public yet are current being evaluated and/or employed by advanced persistent threats (APTs).”
Ultimately the situation has been resolved for those who have updated their apps and some researchers are praising WhatsApp for its prompt response.
“While there is not much the average user can do in this situation, for high profile individuals, or those working with sensitive information, it becomes important to evaluate downloaded apps, and indeed the functionality of a smartphone as a whole,” said Javvad Malik, security awareness advocate at KnowBe4.
“Flaws can exist in every software, but kudos to the WhatsApp team for their rapid turnaround and releasing of a fix,” Malik said.