What’s Behind the WhatsApp Flaw: Unpalatable Truths Revealed
Severe vulnerability in popular app exposed - but what does it mean for business?
WhatsApp has admitted that a vulnerability of the most serious type has only recently been patched after being allegedly exploited by nation-state-level actors. The vulnerability allowed for remote code execution on roughly 1.5 billion mobile devices worldwide, and required no user interaction - attackers merely needed to place a call to targeted devices in order to exploit the flaw.
The company has told media sources that the highly sophisticated attack is likely to have been a "private company working with governments on surveillance", and has reported the incident to the U.S. Department of Justice, as well as EU watchdogs.
WhatsApp has been tested using the ImmuniWeb free security tool 316 times during the last 12 months, and in the last analysis no fewer than six medium risk bugs and seven low risk bugs from the OWASP top 10 were recorded. Perhaps inevitably, tests using the ImmuniWeb phishing tool found that WhatsApp is a popular attack vector, with 279 potential phishing entries, 333 cases of potential cybersquatting and 84 potential typosquatting issues uncovered.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesman told reporters.
"We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users," he said.
WhatsApp has also informed Ireland's Data Protection Commission (DPC), of a "serious security vulnerability" on its platform. “The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.
WhatsApp owner Facebook issued a CVE-2019-3568 notice and also announced that the flaw is patched in the latest version of WhatsApp. As detailed in the CVE, the underlying issue is reported as a “buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
Although of the maximum severity, the existence of a zero-day flaw in a popular app is certainly not unprecedented, although the nation state involvement is not so run-of-the-mill. However, the scale of the user base is enormous, and illustrates just how difficult a task securing the enterprise has become. When nation states create powerful malware delivered via zero day flaws in household-name apps, we have seen widespread chaos (such as WannaCry) which is beyond the resource of even the biggest blue-chip companies to prevent.
Indeed, many reports on the WhatsApp flaw identify NSO Group as being the originator, an Israeli software company also known for creating and maintaining Pegasus - a powerful spyware package. Pegasus has been discovered on thousands of target devices, including board members of blue chip firms, but also on activist and NGO workers devices.
Ilia Kolochenko, CEO of ImmuniWeb said: “The mere fact that such a vulnerability can be exploited remotely in a default configuration is extremely critical and alarming. It is an unprecedented security flaw in terms its potential to run high-profile targeted attacks. WhatsApp is so popular that virtually everyone is a potential victim. Worse, today, access to someone’s smartphone likely provides access to much more sensitive information than access to a computer for example. The ability to track the victim in real time, to listen to a device’s microphone and read instant communications are all a golden-mine for cybercriminals.”
“Rumors about such security flaws were circulating since a while already, but few people took them seriously. All corporate users of WhatsApp should urgently launch forensics on their mobile devices to verify whether they were compromised and backdoored.”
“I think this tremendous security incident will cause irreparable damage to Facebook's reputation, as people are fed up seeing their data being sold, leaked and hacked. Serious legal ramifications are also foreseeable.”
In short, WhatsApp was always going to be a highly prized target for attackers, unfortunately worth investing time and effort in hunting zero-day attacks. Preventing any knock-on impact for enterprise security is a huge challenge - have you tested your corporate apps and site recently?