(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
WhatsApp disclosed six security vulnerabilities that could have made the accounts of its two billion users around the world, prone to hacks. It has now fixed those issues.
The messaging, calling and data sharing platform identified four security bugs in WhatsApp for Android, two in WhatsApp desktop versions and two in its iPhone clients.
It updated about these issues on its newly created Security Advisories page, which WhatsApp will use to highlight any further security issues that it detects and fixes.
The Facebook-owned service detected a URL validation issue in WhatsApp for Android that could have caused the recipient of a sticker message to load the image, containing malformed data deliberately injected by a sender-controlled URL.
It also found a security bypass issue in WhatsApp desktop versions that could have allowed attackers to remotely execute a vulnerable code.
Users receiving and answering a malicious video call, could also have allowed an attacker to overwrite codes in WhatsApp for Android.
The team found some video calls in iPhone also vulnerable to attacks that could have allowed hackers to overwrite some codes.
Android and iPhone users playing an audio message could have allowed the attackers in remote execution of a malicious code.
It found vulnerabilities in some live location links in the desktop versions. Clicking those links could have allowed attackers to inject malicious codes in the web applications.
According to its policies, WhatsApp cannot disclose security issues until fully investigated or fixed. It can then make the updates widely available through the respective app stores.
However, it cannot always list the security advisories within app release notes due to the policies and practices of app stores, WhatsApp said.
Its security advisory page will provide a consolidated list of the security updates and associated Common Vulnerabilities and Exposures (CVE). WhatsApp expects that the details included in CVE descriptions can help the researchers understand technical issues and fix them.
WhatsApp also relies on numerous code libraries developed by third parties for various features. It will update and explain any security update for these libraries on this page helping the developers and providers of mobile operating systems to know the security issues that WhatsApp may identify.
“This resource is intended to help the broader technology community benefit from the latest advances in our security efforts,” WhatsApp said.
WhatsApp said that it conducts internal security reviews and rely on automated detection systems to identify and fix any issues. It works with leading security firms to conduct reviews of its practices, and consult external researchers to find and fix security issues.
