The maximum population of India uses smartphones and WhatsApp. This app has become their life. WhatsApp has become an inevitable communication mode. When Facebook took over WhatsApp, there were many rumours that WhatsApp was sharing some data with Facebook, including phone numbers and profile name, but this has been happening for years.
WhatsApp the messaging app doesn’t gather the content of your chats, but it does collect the metadata attached to them – such as the sender, the time a message was sent and who it was sent to. This can be shared with “Facebook companies”. Facebook’s highly disparaged data collection tenet has worn trust in the social network.
When Facebook bought WhatsApp in 2014, it vowed to keep the two services separate. Yet only a few years later, Facebook announced aims to integrate the messaging systems of Facebook, Instagram and WhatsApp. This appears to have stalled owing to technical and regulatory difficulties about encoding, but it’s still the long-term plan.
All of sudden people not only felt cheated but they were scared of a data breach and switched to Signal, a secure messaging app, which has been the main beneficiary of the WhatsApp evacuation. Another messaging app, Telegram, has also qualified for an uptick in downloads, but Signal has been topping the charts on the Apple and Android app stores.
Signal aids from being the most similar to WhatsApp in terms of features, while Telegram has had problems as a secure and private messaging app, with its live location feature recently coming under fire for privacy breaches. Significantly, Telegram is not end-to-end encrypted by default, instead of storing your data in the cloud. The Signal is end-to-end encrypted, collects less data than Telegram and stores messages on your device rather than in the cloud.
Still, WhatsApp is used by millions of people, it is truly a dynamo when it comes to apps in general, let alone messenger ones specifically. With this level of success comes increased exposure to those who would do WhatsApp user’s harm. Those using WhatsApp on the iPhone were warned about a one-click attack risk earlier this year, for example. A reported “sharp rise” in WhatsApp security flaws across 2019 has even led to some reports of political staffers being advised to switch to contending secure messenger, Signal.
The fact is that no app is immune to security vulnerabilities; they are a fact of technological life. It’s the way those susceptibilities are dealt with that is vital. CVE-2020-1886 was a buffer-overflow problem in the WhatsApp for Android app, versions before v2.20.11 that could be caused by receiving and answering a malevolent video call.
CVE-2020-1889 affected the WhatsApp desktop client before v0.3.4932 and was an appreciation of privilege threat when combined with a remote code execution vulnerability to escape the system security sandbox. CVE-2020-1890 was another Android app problem, this time triggered by receipt of a malicious sticker message that could lead to privilege escalation once more.
CVE-2020-1891 was in both Android and iOS apps and involved the video call handler. All that’s publicly known is that it could impact confidentiality, integrity and availability. CVE-2020-1894 was a stack-overflow issue in Android and iOS apps that could allow for arbitrary code implementation triggered by a malicious push-to-talk message. Severity rating of vulnerability marked high
India’s cyber security agency, the Computer Emergency Response Team (CERT-In) recently issued an alert against multiple vulnerabilities in older versions of WhatsApp and WhatsApp Business for iOS. The severity rating of the vulnerability has been marked high. According to the alert issued by CERT-In, there were two critical vulnerabilities in WhatsApp and WhatsApp Business of iOS — an Improper Access Control vulnerability (CVE-2020-1908) and a User-After-Free vulnerability (CVE-2020-1909). These vulnerabilities have been disclosed by WhatsApp as part of its November update to its security advisories. The improper Access Control vulnerability can allow hackers to access WhatsApp even after a phone is locked. The vulnerability affects WhatsApp iOS versions prior to the v2.20.100.
The use-after-free in a logging library in WhatsApp can be exploited by a remote attacker “by sending a specially crafter animated sticker to the target while placing a WhatsApp video call on hold, resulting in several events occurring together. The CERT-In advisory suggests users install and update to the latest version of WhatsApp with security patches from the App Store. A high-severity vulnerability could allow cybercriminals to push malware or remotely execute code, using seemingly innocuous messages.
Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code execution. More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations.
(Any suggestions, comments or dispute with regards to this article send us at feedback@afternoonvoice.com)
