On Monday, The Financial Times reported that attackers have been exploiting a buffer overflow vulnerability in the popular messaging service WhatsApp. The vulnerability has been fixed, and updates were released on Friday. WhatsApp, owned by Facebook, is urging both iPhone and Android users to update the app as soon as possible.
Veracode’s State of Software Security Volume 9 found that buffer overflow was the 25th most common vulnerability, found in 3 percent of applications. Although not as prevalent as some other flaw categories (like XSS or SQL injection), it is a highly exploitable flaw, and organizations should be aware of it and addressing it quickly. Yet our data also reveals that organizations are taking a troubling amount of time to fix buffer overflow flaws – it took organizations an average of 225 days to address 75 percent of these flaws.
According to theWhatsApp, the vulnerability (CVE-2019-3568) in the VOIP stack allows remote code execution. The RCE vulnerability on WhatsApp is exploited by sending malicious codes to targeted phone numbers. Attackers can exploit the vulnerability by using the WhatsApp calling function to call a user’s mobile phone and then install surveillance software on the device. According to The Financial Times, a user doesn’t need to answer the call to be infected, and the calls seem to disappear from logs.
NSO Group, part-owned by private equity firm Novalpina Capital, is an Israeli company that created Pegasus, the software that is believed to be an integral element for successfully pulling off the attacks. The BBC reports that NSO’s flagship software can gather personal data from a targeted device using the microphone and camera, as well as capturing location data.
WhatsApp has reported the vulnerability to its lead regulator in the Europe Union, Ireland’s Data Protection Commission (DPC), though it is still investigating whether or not any EU user data has been affected as a result of the incident. The company also reported the vulnerability to the US Department of Justice last week.
WhatsApp is one of the most popular messaging tools in the world, with a sizeable 1.5 billion monthly users. It’s favored for its high level of security and privacy, as messages are encrypted end-to-end. This news adds to a turbulent period at Facebook, which bought WhatsApp in 2014 for $19 billion. Last month, a security research firm revealed 540 million Facebook accounts were publicly exposed, and a co-founder, Chris Hughes, recently advocated in The New York Times that the company should be broken up for fear that it has too much influence and power.