WhatsApp Patches Security Vulnerability That Allowed Spyware

A security vulnerability was discovered in the messaging app. Users are now encouraged to upgrade after a patch was released.

A security vulnerability was discovered in popular messaging service WhatsApp. The vulnerability has since been patched, so users are being urged to upgrade to the latest version. Of course, the vulnerability has been discovered on an app used by 1.5 billion people. Naturally, the media took interest in it.

To be clear, this is a security flaw. Our understanding is that attackers can upload spyware after a missed phone call to a victim.

Some are wondering if something like WhatsApp is actually secure. If not, who can you trust? The thing is, security vulnerabilities are found on a daily basis in applications we use. Sometimes, big name applications and services are affected. Other times, it’s a relatively small and unknown program that someone discovers a vulnerability.

So, if you use WhatsApp and are freaked out that you are no longer secure, well, welcome to computer coding. Adobe flash has become well known in the last several years to be a hotbed for security vulnerabilities. Yes, the package is constantly updated and fixed, but vulnerabilities are regularly discovered. The thing is, for a long time, Flash was a web standard application container. People used that for playing web browser games or watching video. YouTube used Flash all the way up to 2015. At that point, they dropped Flash for HTML5. The world didn’t grind to a halt when a vulnerability was discovered.

For me, personally, I’ve used WordPress for about a decade now. In that time, I’ve seen a number of security vulnerabilities hit WordPress. There is cross site scripting issues and heart bleed bugs. I still use WordPress. Why? Because this stuff got patched. Updates have been distributed. I update the software accordingly. The world moves on.

What users need to be wary of are developers who refuse to fix a vulnerability. If, say, a white hat hacker discovers a zero day vulnerability and the response from the developer is that they aren’t fixing it or that white hat hacker gets brushed off and ignored completely, that’s when users need to be concerned.

Still, this isn’t stopping some journalists from concerning themselves over disclosure. The Irish Times, for instance, is pointing out that the vulnerability hasn’t been disclosed yet to data regulators:

WhatsApp has not as yet informed the Data Protection Commissioner of any data protection breaches arising from the discovery of a security hole in its popular messaging app.

In a statement, the commissioner said it was “actively engaging with WhatsApp Ireland to determine if and to what extent any EU user data has been affected”.

“While the possibility remains that EU users were affected and in light of the understood severity of the incident, all WhatsApp users are urged to ensure that the latest version of the WhatsApp application is installed on their device, available via the Apple Store or Google Play Store,” it said.

Tracking the severity of this issue is difficult. While it could have theoretically been used to target anyone, this particular vulnerability appears to have been directed at a specific individual. From KSRO:

The human rights lawyer at the center of the WhatsApp security breach said it “doesn’t come as a surprise” that the same spyware whose use he is suing against was allegedly used on him.

“Several weeks ago I started receiving WhatsApp video calls early in the morning,” the lawyer told ABC News. “These would ring for a few seconds and then that’s it. Missed calls. I was suspicious of these calls.”

The calls originated in Sweden.

He then contacted Citizen Lab, a research center at the Munk School of Global Affairs at the University of Toronto, which has previously investigated the use of spyware created by the Israel-based NSO Group, which has been accused of supplying tools for regimes to hack the phones of dissidents, human-rights activists and journalists.

The lawyer is on the team representing several of these activists and journalists who are suing NSO, claiming the company’s tracking software, Pegasus, was used to infiltrate the devices of dissidents including Omar Abdulaziz, a Saudi in Canada who claims his WhatsApp messages with his friend, the murdered Washington Post journalist Jamal Khashoggi, were accessed by hackers using Pegasus.

“NSO operates according to the law and adheres to a clear ethical policy that is meant to prevent misuse of its technology,” NSO told ABC News in a statement. “NSO only licenses its technology to approved government intelligence and law enforcement agencies for the sole purpose of preventing and fighting crime and terror, according to clear definitions.”

With the vulnerability patched and the vulnerability seemingly being used for a particular person, it’s hard to really see any real scandal in this one. Yes, it affected a large and well known app, but the issue has been, for the most part, resolved already. People need to update and the world can move on.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: