On Monday the 13th of May 2019, Whatsapp admitted yet to another breach in their security system: enabling targeting spyware to be installed on phones through voice calls. An Israeli spying firm indeed has been accused of using that security hole in Whatsapp used by 1.5 billion people.
WhatsApp told the Financial Times that “the attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
Security researchers said they had found so-called spyware — designed to take advantage of the WhatsApp flaw — that bears the characteristics of technology from the company, the NSO Group.
Or as Facebook somewhat drily said, "A buffer overflow vulnerability in WhatsApp VoIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”
WhatsApp engineers worked around the clock to patch the vulnerability and released a patch. They encouraged customers to update their apps as quickly as possible.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the Facebook-owned company said in a statement.
The WhatsApp hole was used to target a lawyer who has been involved in lawsuits that accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. The researchers believe the list of targets could be much longer.
But as it turns out, it has been suffering from several security breaches. With Whatsapp payment and Whatsapp verification codes and other features being tested, this comes as another test for the reliability and security of the application. How many more security breaches can Facebook/Whatsapp handle? And how can people still trust these applications to share private and viable information in the midst of these serious cybersecurity threat.
This can easily be considered as another hit to the famous messaging app, leaving SMS as the only true reliable source to exchange such delicate information. As it is independent from any OTT, doesn’t require an internet connection and is still a fast and secure way to deliver any message. News have it, that some operators have even began working on their own chatting system.