WhatsApp has a set of “holes” for attacks for every taste

Information of six previously undisclosed vulnerabilities of differing severity were shared by Facebook and WhatsApp. Already, something has been repaired.

Six bugs on WhatsApp

There were six bugs in the WhatsApp programs, each of which could be used for remote assaults. This was revealed on a specially developed website by the creator himself, where information about WhatsApp security issues is written.

The most critical one was CVE-2020-1894, a problem with stack overflow that could have been used to execute arbitrary code. To do this, to play on the victim’s hand, the perpetrators will have to construct a special voice message.

The flaw affects WhatsApp up to version 2.20.35 for Android, WhatsApp Business up to version 2.20.20 for Android, WhatsApp up to version 2.20.30 for iPhone, and WhatsApp Business up to 2.20.30. for iPhone.

The second limitation, CVE-20-20-1891, is triggered by the ability to write data on 32-bit devices outside of the defined memory area. The flaw affects WhatsApp up to version 2.20.17 for Android, WhatsApp Business up to version 2.20.7 for Android, WhatsApp up to version 2.20.20 for iPhone, and WhatsApp Business up to version 2.20.20 for iPhone.

WhatsApp exposed six vulnerabilities

CVE-2020-1890, the third flaw, is triggered by inaccurate URL validation. The mistake makes it possible to retrieve an image from a remote server without user intervention: a sticker note containing “deliberately skewed material” must be sent to a potential target for this reason. In turn, the downloaded image can contain malicious code.

The problem concerns versions 2.20.11 of WhatsApp Android and up to 2.20.2 of WhatsApp Enterprise Android.

Not only mobile versions were vulnerable

Bug CVE-2020-1889 is a flaw in the WhatsApp desktop edition up to index 0.3.4932, which helps you to reach outside the Electron framework’s secure environment. An attacker can achieve privilege escalation on the device by mixing this weakness with another one that allows arbitrary code to run within a protected application renderer.

Another bug was revealed in the same iteration of the desktop version of WhatsApp, this time with input data verification-CVE-2019-11928. This weakness allows cross-site scripting, for which the user must be required to click on a link in a live location message that has been specially designed.

CVE-2020-1886 is a vulnerability to buffer overflow in WhatsApp for Android before 2.20.11 and in WhatsApp Enterprise for Android before 2.20.2. Using a specially prepared video stream, after she answers an incoming video request, an intruder will record beyond the allotted memory region on the victim’s side.

As part of the bugbounty initiative introduced by Facebook, some of the bugs were revealed. Immediately after obtaining the details, five of them were corrected, the sixth-after a short while.

“Half of the vulnerabilities identified require compliance with a number of conditions and the application of varying amounts of effort in order to carry out successful attacks,” notes Anastasia Melnikova , an information security expert at SEC Consult Services. “But there are some that can be used for attacks with minimal effort; they pose the greatest threat. However, the publication of information about them is mainly a PR stunt designed to demonstrate the seriousness of WhatsApp and Facebook to the security of their developments. “