WhatsApp released six previously undisclosed vulnerabilities that were quickly fixed. The vulnerabilities have been reported on a dedicated security advisory website that will be used to post news about WhatsApp updates and emerging vulnerabilities in the future.
According to company representatives, five of the six vulnerabilities were fixed on the same day, and the last one had to be worked on, which took several days. It is noted that although some of the errors could be caused remotely, nevertheless, no traces were found that someone wanted to take advantage of these vulnerabilities.
Two vulnerabilities were found in the Bug Bounty Program, and the rest were discovered during manual code review and automated tests.
WhatsApp is one of the most popular applications in the world, with over two billion users worldwide. This makes it an excellent target for hackers are trying to find and exploit vulnerabilities in the platform.
Facebook, which owns WhatsApp, has decided to launch the website to provide transparency regarding vulnerabilities, as well as to receive feedback from users. All of this is done because WhatsApp is not always able to detail its security recommendations in the app’s release notes due to the app store’s policies.
The new dashboard will be updated monthly to alert users to an active attack. An archive of past CVEs starting from 2018 will also be available on this site. While the website’s primary focus will be on the CVE in WhatsApp code, if the company submits the CVE to the available MITER database for a vulnerability found in third-party code, it will indicate this WhatsApp security advisory page as well.
Last year, WhatsApp came under attack through a specific vulnerability allegedly exploited by Israeli spyware maker NSO Group. WhatsApp has filed a lawsuit against the spyware manufacturer, claiming that the company used the vulnerability to secretly deliver its Pegasus spyware to some 1,400 devices, including more than 100 human rights defenders and journalists.
John Scott-Railton, the senior fellow at Citizen Lab, whose job was to investigate the NSO Group, welcomed the news.
“This is good, and we know that attackers use vast resources to detect and exploit vulnerabilities,” he told TechCrunch. “WhatsApp sending a signal that it will regularly move to identify and correct in this way seems like another way to drive up costs for attackers.”
A message to users was posted on the WhatsApp blog after fixing the vulnerabilities, saying that the company supports transparency and hopes that the resource will be useful to the broad technology community in ensuring security. The appeal also contained a recommendation for all users to regularly update their software according to the app stores’ recommendations.
Facebook also said Thursday that it had codified its vulnerability disclosure policy, allowing the company to alert developers to vulnerabilities in third-party code that Facebook and WhatsApp rely on.
Today we see a clear example that the existing software needs to be updated not only to retain user interest but also to ensure its high-quality operation and protect information from hackers. As mentioned earlier in the article, testing has made it possible to detect vulnerabilities and eliminate them. Want to know more about how testing can help you develop your solution, and why you shouldn’t avoid it? Then quickly open our articles The Guide to Software Testing Process, What Is Manual Testing? How We Perform It, Automated Testing – Make Your Software to Perform Much Better
Are you still looking for a reliable team of developers to turn your idea into an app?