The company committed to more transparency about app flaws, with an advisory page aimed at keeping the community better informed of security vulnerabilities.
Facebook-owned WhatsApp has fixed six previously undisclosed vulnerabilities in its chat platform, revealing the move on a new dedicated security advisory site aimed at informing its more than 2 million users about bugs and keeping them updated on app security.
The site is part of an effort by WhatsApp to be more transparent about platform vulnerabilities to not just users, but also the security community, and patch them in a timely manner. The latter is something for which the company has been criticized in the past.
“We are very committed to transparency, and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts,” the company said in a post about the new site.
The advisory page will provide a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVEs), with descriptions aimed at helping researchers understand the impact of the bugs.
WhatsApp said it will keep “with industry best practices” and not disclose security issues until claims have been “fully investigated,” “necessary fixes” issued and updates provided through respective app stores.
WhatsApp got a head start on its new commitment to transparency with some disclosures, revealing six bugs that the company recently patched, before any evidence that they were exploited by threat actors, it said.
Some of the bugs could have been triggered remotely. One, CVE-2020-1890, was a URL-validation issue in Android versions of WhatsApp and WhatsApp Business for Android that could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction.
Other bugs required user interaction, such as CVE-2019-11928, an input-validation issue in some WhatsApp Desktop versions that could have allowed cross-site scripting if a user clicked on a link from a specially-crafted live location message.
WhatsApp said it will continue disclose and patch issues “as quickly as possible,” revealing that five of the six bugs were patched on the same day they were discovered, according to a published report. The last flaw took a bit more time – as in a few days – to fix, the company said.
Some of the bugs were discovered through the Facebook bug-bounty program, which also covers WhatsApp issues, while others were found during code reviews, or by company security staff and its own automated systems, according to the report.
More transparency from WhatsApp about platform flaws is certainly welcome, as last year the company disclosed a zero-day vulnerability only after hackers were already exploiting it to install spyware on people’s smartphones.
Facebook later sued Israeli company and creator of the Pegasus spyware NSO Group over the hack, alleging that it developed the surveillance code and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices. NSO has denied any wrongdoing in the matter.
On Wed Sept. 16 @ 2 AM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.
If the social-media behemoth finds a bug in another platform’s code, the project has 90 days to remediate before Facebook goes public.
Technology minister bans, Baidu, WeChat Work, AliPay and 115 others for capturing using data and transmitting it to servers outside of the country without authorization.
Multiple flaws in system software that causes errors in packet handling could allow an attacker to consume memory and crash devices.
RT @LindseyOD123: This week @dustin_childs and @MaliciousInput from @thezdi came onto the @threatpost podcast to discuss:
-Why IoT and indu…
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
World news – US – WhatsApp Discloses 6 Bugs via Dedicated Security Site