WhatsApp launches a new website for disclosure related to the security of the platform
WhatsApp, owned by Facebook, has revealed six unknown vulnerabilities so far, which the company has fixed. The vulnerabilities are reported on a new dedicated security advisory website that will serve as the new resource that will provide a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).
WhatsApp said that five of the six vulnerabilities were fixed on the same day, while the remaining bug took a couple of days to fix. Although some of the bugs could have been triggered remotely, the company said it found no evidence that hackers actively exploited the vulnerabilities.
About a third of the new vulnerabilities were reported through the company’s Bug Bounty program, while the others were discovered in routine code reviews and through the use of automated systems, unsurprisingly.
WhatsApp strengthens security
WhatsApp is one of the most popular applications globally, with more than two billion users worldwide. But it is also a persistent target for hackers, trying to find and exploit vulnerabilities in the platform.
The new website was launched as part of the company’s efforts to be more transparent about vulnerabilities targeting the messaging application and in response to user feedback. The company says that the WhatsApp community has been requesting a centralized location to track security vulnerabilities, as WhatsApp cannot always detail its security advisories in an app’s release notes due to app store policies. .
The new dashboard will be updated monthly, or earlier if you need to warn users of an active attack. It will also offer an archive of previous CVEs dating back to 2018. While the main focus of the website will be on the CVEs in WhatsApp code, if the company submits a CVE with the public MITER database for a vulnerability it found in the third-party code, it will also indicate it on the WhatsApp security notices page.
Last year, WhatsApp became popular after fixing a vulnerability allegedly used by Israeli spyware maker NSO Group. WhatsApp sued the spyware maker, claiming the company used the vulnerability to covertly deliver its Pegasus spyware to some 1,400 devices, including more than 100 human rights defenders and journalists.
John Scott-Railton, Principal Investigator for Citizen Lab, whose work has included the NSO Group research, welcomed the news.
This is good, we know that bad actors make use of vast resources to acquire and weaponize vulnerabilities, he told TechCrunch. WhatsApp sending the signal that it will regularly move to identify and patch in this way seems to be another way to increase the cost for bad actors.
Facebook said that the bugs listed on this page don’t necessarily mean they have been exploited. All the vulnerabilities listed on the site are bugs that have been recently patched, and the new page should be an example and a warning as to why users should keep the WhatsApp application up to date at all times to prevent future attacks.
Furthermore, the new WhatsApp security advisories page will also list the bugs fixed in the libraries used by the app.
If these bugs have a broader impact, outside of the WhatsApp app, then Facebook said it would also notify developers of those libraries and manufacturers of mobile operating systems.
In a blog post, WhatsApp said that “We are very committed to transparency and this resource is intended to help the broader tech community benefit from the latest advances in our security efforts. We strongly advise all users to make sure to keep their WhatsApp updated in their respective app stores and to update their mobile operating systems whenever updates are available. ”
Facebook also said Thursday that it has codified its vulnerability disclosure policy, allowing the company to warn developers of security vulnerabilities in third-party code that Facebook and WhatsApp trust.