WhatsApp Discloses Six Bugs in its First Security Advisory

Facebook-owned messaging service provider WhatsApp, in the past week, started a Security Advisories page. On this page, WhatsApp is disclosing all the bugs and vulnerabilities that have been found and fixed to maintain transparency and encourage security researchers to report any other bugs as part of the company’s bug bounty program. In its first Security Advisory update, WhatsApp has already disclosed six vulnerabilities,  which, if exploited properly, would potentially provide remote code execution privilege to the attackers.

What’s WhatsApp Security Advisories

WhatsApp claims to provide users an end-to-end encryption messaging service utilizing the Signal Protocol designed by Open Whisper Systems. With more than two billion registered users, it is an ever-growing platform and handles a very large amount of confidential user data. Taking the learnings from its parent company Facebook, WhatsApp takes the privacy and security of user data very seriously. It reports any discrepancies through timely updates and informs the users about the same through app release notes. However, it states, “Due to the policies and practices of app stores, we cannot always list (entire) security advisories within app release notes.”

Thus, to close this gap and provide a single directory for a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE), the WhatsApp Security Advisories page has been launched.

The Six Vulnerabilities of First WhatsApp Security Advisory

1. CVE-2020-1894: A stack write overflow in WhatsApp that could have allowed arbitrary code execution when playing a specially crafted push to talk message.
2. CVE-2020-1891: A user-controlled parameter used in video calls that could have allowed an out-of-bounds write on 32-bit devices.
3. CVE-2020-1891: A URL validation issue that could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction.
4. CVE-2020-1889: A security feature bypass issue that could have allowed for sandbox escape in Electron and escalation of privilege if combined with a remote code execution vulnerability inside the sandboxed renderer process.
5. CVE-2020-1886: A buffer overflow that could have allowed an out-of-bounds write via a specially crafted video stream after receiving and answering a malicious video call.
6. CVE-2019-11928: An input validation issue that could have allowed cross-site scripting upon clicking on a link from a specially crafted live location message.

Vulnerabilities Summary
Vulnerability Names	Stack write overflow vulnerability. A user-controlled parameter used in a video call. A URL validation issue. Security feature bypass vulnerability. Buffer Overflow vulnerability. An input validation issue.
CVE Numbers & Affected Versions	CVE-2020-1894 / WhatsApp for Android prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30 CVE-2020-1891 / WhatsApp for Android prior to v2.20.17, WhatsApp Business for Android prior to v2.20.7, WhatsApp for iPhone prior to v2.20.20, and WhatsApp Business for iPhone prior to v2.20.20 CVE-2020-1890 / WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 CVE-2020-1889 / WhatsApp Desktop versions prior to v0.3.4932 CVE-2020-1886 / WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 CVE-2020-11928 / WhatsApp Desktop versions prior to v0.3.4932