WhatsApp has revealed six previously undisclosed vulnerabilities affecting its app.
The vulnerabilities have been disclosed on a dedicated security advisory website aimed at informing its more than 2 million users about bugs and keeping them updated on app security.
Some of the vulnerabilities were reported through the company’s bug-bounty program and some were discovered during code reviews and by using automated systems.
Although some of the bugs could have been remotely triggered, the company said that there was no evidence of hackers actively exploiting the vulnerabilities
One of the vulnerabilities dubbed as CVE-2020-1894, is a stack write overflow that can have allowed arbitrary code execution when playing a specially crafted push to talk message. The vulnerability affects WhatsApp for Android prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30.
A vulnerability which has been dubbed as CVE-2020-1891, is an out-of-bounds write on 32-bit devices. The bug affects WhatsApp for Android prior to v2.20.17, WhatsApp Business for Android prior to v2.20.7, WhatsApp for iPhone prior to v2.20.20, and WhatsApp Business for iPhone prior to v2.20.20.
The next flaw is an URL-validation issue tracked as CVE-2020-1890, that could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction. The vulnerability affects Android versions of WhatsApp and WhatsApp Business for Android.
The other three bugs are:
A security feature bypass issue, tracked as CVE-2020-1889, that affects Desktop versions prior to v0.3.4932.
A buffer overflow, tracked as CVE-2020-1886, that resides in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2.
An input validation issue, tracked as CVE-2019-11928, that resides in Desktop versions prior to v0.3.4932 which could have allowed cross-site scripting if a user clicked on a link from a specially-crafted live location message.
Five out of the six flaws recently disclosed have been patched immediately and the sixth one was patched a few days later by the company.
Image Credits : Android Central