[German]The Messenger app WhatsApp has a critical vulnerability affecting both Android and iOS. The vulnerability is already being exploited (there is an exploit from an Israeli company selling it). Users should urgently update WhatsApp.
For myself I have ‘dumped’ WhatsApp and banned it from my devices for privacy reasons since years. But I know that many people still use this Facebook service. Hence the information for blog readers.
Vulnerability in WhatsApp
In WhatsApp, the critical vulnerability CVE-2019-3568 exists. There is a buffer overflow vulnerability within the WhatsApp VOIP stack, that may be triggered though a special SRTCP packet an can lead to remote code execution. Facebook warns of this vulnerability in a security alert dated 13 Mail 2019.
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
The vulnerability is classified as critical and exists in older WhatsApp applications prior to the following versions:
- WhatsApp for Android before v2.19.134,
- WhatsApp Business for Android beforev2.19.44,
- WhatsApp for iOS beforev2.19.51,
- WhatsApp Business for iOS beforev2.19.51,
- WhatsApp for Windows Phone beforev2.18.348,
- WhatsApp for Tizen beforev2.18.15
App updates are available for these operating systems. The update is critical because attackers exploit the vulnerability.
Hacker News reported, that attackers have secretly installed spyware on the victims’ mobile devices through the vulnerability. A targeted WhatsApp call on an Android phone or iPhone is enough. The WhatsApp call doesn’t even have to be answered by the victim. The victim can’t even trace the attack because the spyware deletes the incoming call information from the logs to work secretly.
The WhatsApp exploit was discovered and then sold by the Israeli NSO Group, which creates mobile spyware. The exploit installs Pegasus spyware on Android and iOS devices. The spyware allows the attacker to remotely access an incredible amount of data on the victim’s devices without the victim’s knowledge or control. This includes text messages, emails, WhatsApp messages, contact information, call recording, location information, and microphone and camera data.
Although the exact number of targeted WhatsApp users is still unknown, WhatsApp developers state that only a “select number” of users have been attacked by NSO Group spyware with this vulnerability. Meanwhile, Citizen Lab, a monitoring group at the University of Toronto investigating NSO Group activities, believes that the vulnerability was only used on Sunday to attack a British human rights lawyer.