has revealed six vulnerabilities in the app that could have allowed attackers to push malicious codes remotely through images, URLs and video calls. WhatsApp claims that these vulnerabilities are now fixed but there is no official information as to whether users were impacted or not.
As per WhatsApp, a bug now identified as CVE-2020-1894 could have allowed arbitrary code execution when playing a specially crafted push to talk message. This was caused due to a stack write overflow in WhatsApp for Android prior to v2.20.35 and WhatsApp for iPhone prior to v2.20.30. The same issue was there in the respective WhatsApp Business apps as well.
WhatsApp also had a URL validation issue. “WhatsApp for Android prior to v2.20.11 and
WhatsApp Business for Android
prior to v2.20.2 could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction,” it explained.
WhatsApp also had “an input validation issue” in
versions prior to v0.3.4932. This issue could have allowed
upon clicking on a link from a specially crafted live location message, it said.
“A buffer overflow in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have allowed an out-of-bounds write via a specially crafted video stream after receiving and answering a malicious video call,” said WhatsApp while description another issue with
All the six vulnerabilities are reported on WhatsApp’s security advisory website. This site will keep a record of all security updates and Common Vulnerabilities and Exposures (CVE). The aim of this website is mainly to promote WhatsApp as a transparent entity and also help security researchers understand the issues and bugs better. Along with explaining the details of the vulnerability, WhatsApp is letting users know as to how certain bugs could have been used by attackers. It further clarifies that “CVE descriptions are meant to help researchers understand technical scenarios and does not imply users were impacted in this manner.”