WhatsApp has become the defacto method of communication for 1.5 billion folks around the world but this week a vulnerability was discovered that is rather worrying.
The vulnerability is called CVE-2019-3568 and is described by Facebook (who owns the software) as, “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
In layman’s terms – an attacker could push software (in this case surveillance software) to a user’s device by starting a WhatsApp call. The scary part, well aside for surveillance software being installed on your handset, is that the user wouldn’t have to answer the call for the remote code to be executed.
The “good” news is that WhatsApp thinks the attack was highly targeted. That having been said, it’s too early to determine how many users have been affected.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” WhatsApp told the BBC.
A report by the Financial Times (paywall) suggests that NSO Group, an Israeli company, created the surveillance software that was used. The firm told the BBC that it has a rigourous vetting licensing and vetting process adding that if its software was being misused it would shut down the system.
WhatsApp reportedly patched its server on Friday to prevent the attacks from working and patch for the app itself was deployed on Monday.
Users on Android and iOS should update WhatsApp as soon as possible just to be safe.