On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its ridiculously popular WhatsApp messaging app, thanks to a zero-day vulnerability that allowed hackers to install spyware, silently, just by calling a victim’s phone.
The vulnerability is now fixed, and WhatsApp’s 1,5-billion users are advised to upgrade to the latest version.
Sophos blogger Mark Stockley warns users that, while there’s a good chance your app’s already updated itself, this is a serious vulnerability so users should check anyway.
“WhatsApp isn’t exactly shouting about this,” he points out. “The Facebook Security page, WhatsApp’s company website and WhatsApp’s Twitter feed are bereft of information.”
WhatsApp’s security advisory for CVE-2019-3568 simply reads: “Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
“Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.”
It seems that some people who knew about this vulnerability used phone calls to vulnerable devices to install spyware that could listens in on calls, read messages and switch on the camera, Stockley explains.
“But that doesn’t stop other people abusing the vulnerability in other ways, so you should still update, even if you think you’re unlikely to have been affected by this attack.”