Once again, Facebook has made it into the news because of a security issue. Nonetheless, this time, they have come with a patch for the flaw in its product WhatsApp. As disclosed recently by Facebook, a serious vulnerability exists within WhatsApp Messenger for all devices. Potential attackers could exploit this WhatsApp security flaw to deliver spyware on target devices. The malware reportedly belongs to the Israeli firm NSO Group
WhatsApp Security Flaw Triggering Spyware Attacks
Facebook has recently disclosed a serious security vulnerability threatening WhatsApp users around the world. It allegedly put 1.5 billion users vulnerable to spyware attacks.
Describing this WhatsApp security flaw (CVE-2019-3568), Facebook stated in its advisory,
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
In simple words, a potential attacker could deliver malware to the target device by sending modified Secure Real-time Transport Protocol (SRTP) packets. For doing so, a mere WhatsApp call to the target device would suffice. The spyware didn’t even require the recipient to answer the call. Rather it would still execute for unanswered call too. The calls would then disappear from the logs.
While Facebook didn’t reveal any other details about the flaw, a report from the Financial Times broke some scary updates. As revealed, the spyware belonged to the Israeli NSO Group. The firm is an infamous spyware seller, also supposedly involved in spying on the Journalist Jamal Khashoggi by selling its software to Saudis. Nonetheless, the firm has denied its involvement.
Commenting on this flaw, Winston Bond, EMEA Technical Director, Arxan Technologies, told LHN,
“The attack on WhatsApp is based on using a bug in the code to give the attackers control over what it does. It takes a lot of research and reverse engineering to create an attack like that.”
Facebook Patched The Flaw
Facebook has attempted to patch the flaw by releasing the updated WhatsApp versions a couple of days ago. According to the BBC, WhatsApp engineers first found the flaw in early May, after which they shared the information with US Dept. of Justice, certain security vendors and human rights groups. As told in their statement,
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human-rights organizations to share the information we can, and to work with them to notify civil society.”
Specifically the patched versions include WhatsApp for Android v2.19.134, WhatsApp for iOS v2.19.51, WhatsApp Business for Android v2.19.44, WhatsApp Business for iOS v2.19.51, WhatsApp for Windows Phone v2.18.348, and WhatsApp for Tizen v2.18.15.
Are Users Now Secure?
For now, WhatsApp hasn’t revealed details about possible victims of the flaw by deeming it ‘too early’. Nonetheless, the highly-targeted attacks exploiting this flaw have alerted the news world.
According to Winston Bond,
“Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app. Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It’s time that changed.”
While Facebook has rolled-out a WhatsApp update possibly addressing the flaw, it is strange that the update didn’t mention of any security fix. For instance, for WhatsApp for Android v2.19.134, the update states,
“It’s now easier to start group voice and video calls. Just tap the call button in groups or select “New group call” when starting a new call in the calls tab. Group calls support up to 4 participants.”
Whereas, for WhatsApp for iOS v2.19.51, the update reads,
“You can now see stickers in full size when you long press a notification.”
It doesn’t say anything about the possible removal or inactivation of the installed spyware with the update.
In a statement to MailOnline, Andrew Martin, CEO DynaRisk, said,
“’Given the lack of knowledge about the spyware at this stage, even the software update sent out by WhatsApp may not be enough to protect users’ privacy.”
For now, the users must ensure updating their respective devices to the latest versions to avoid potential attacks.
We shall update our readers as we hear more regarding this news.