WhatsApp Security

On November 16, 2022, an announcement about the sale of 487 million phone numbers belonging to WhatsApp users was posted on a well-known hacking forum. These users are from 84 different countries, the majority being from Egypt (45 million), Italy (35 million), the United States (32 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million). In Spain, the number of affected users is estimated to be around 10 million. Reliable sources checked the data against a sample provided by the sellers and were able to confirm that they were phone numbers of real WhatsApp users. It is suspected that the data could have been obtained by means of the scraping technique, which is against WhatsApp's terms and conditions of use, although the person behind the break-in did not want to confirm at any time the method used.

The CVE-2022-36934 vulnerability was detected on September 22nd, 2022, classified as a critical vulnerability, and fixed on September 23rd. It affected WhatsApp for Android versions before 2.22.16.2 and iPhone versions before 2.22.16.12. It also affected WhatsApp Business mobile apps before versions 2.22.16.12 on both operating systems. Through this security breach, a malicious attacker could manipulate a Video Call Handler function input, causing a buffer overflow and enabling remote code execution during the ongoing video call.

The vulnerability CVE-2022-27492 was detected on September 22nd, 2022, classified as highly dangerous, and fixed just one day later. It affected Android versions before 2.22.16.2 and iPhone versions before 2.22.15.9. Through this security flaw, a malicious attacker could exploit the Video File Handler input of a video sent via WhatsApp to execute remote code on the recipient's mobile device.

The acronym RTCP stands for Real-Time Control Protocol, a communication protocol commonly used for making calls and video calls between users of communication apps such as WhatsApp. Earlier in February 2022, a bug was detected in a link control in the analysis code of the RTCP indicator, which is the code responsible for reporting the quality of the RTP stream, the one that actually transports the data. It means that a user could send an incorrectly formatted RTCP packet during a call in progress and cause dynamic storage to be read outside of the allowed limits.

Known as Call Handler, this is the software component used by WhatsApp to make calls between users. In theory, it was possible to cause a buffer overflow by manipulating an input and writing out of bounds.

WhatsApp, through its security advisories, made public in December 2021 the vulnerability CVE-2021-24041, first recorded in July of that same year. The security flaw was in the image blur feature, which is widely used in the app in all sorts of scenarios. Potential attackers, taking advantage of a code error in the bounds checking associated with this functionality, could cause an out-of-bounds write and buffer overflow by sending a malicious image. The bug affected Android versions of the app before 2.21.22.7 released in October 2021, including the Business version.

A bug in WhatsApp Messenger's filename validation process could allow an attacker to breach the integrity and confidentiality of the victim's data. Known as a cross-class vulnerability, the problem occurs when unzipping files. The lack of validation on filenames during the process could allow file overwriting using cross-path attacks, providing access to directories that should be restricted. This is a simple attack that could be performed remotely and is easy to exploit as no authentication is required, although interaction with the victim is necessary.

A security flaw allows cryptographic information to be collected from a user's external storage. To do this, an HTML file is sent to the victim, and once it is opened with Chrome, executes a code by taking advantage of its support for content providers. At that point, you have access to TLS cryptographic material (in TLS 1.2 and 1.3 sessions) stored in the cache, as WhatsApp saves the TLS session key details in an unprotected external storage area, thus making it possible to compromise communications and our account, execute remote code and extract Noise protocol keys commonly used in end-to-end encryption of communications.

A remote attacker could initiate a voice call via WhatsApp specifically designed to cause a memory overflow during its processing, exploiting a flaw in the limits checking system. By causing off-limits writing, the app crashes. No specific technical details about the vulnerability have been provided.

A user can install a WhatsApp client and initiate the login process using the phone number of a third party. After several failed attempts sending wrong codes or repeatedly requesting new codes (as the actual 6-digit verification code always reaches the victim who could not be aware of what is going on) WhatsApp blocks the sending of new codes for 12 hours. At this point, the second weakness comes into play, as the attacker might contact WhatsApp's lost or stolen accounts department, and by simply showing the victim's phone number, impersonate the victim to block its access, taking advantage of the fact that it is an automated communication platform. If the attacker also repeats the operation for several 12-hour cycles and the victim is not able to regain control of the account in between, the attacker could permanently lock the account and force the victim to contact WhatsApp directly to recover the account.

Security firm Check Point Research notified WhatsApp on November 10, 2020, of a security backdoor in the image filter feature which could grant an attacker access to information stored in the WhatsApp memory by writing out of bounds. The attack, which in any case requires user interaction, is certainly complex to execute and is not known to have been implemented, uses a predesigned GIF image that is sent to the victim. When the victim edits the image by applying certain filters such as blurring, the original image pixels are modified, a complex process where data is read, manipulated, and overwritten. The error occurs when forwarding the result to the sender. Further technical details of this error became known on September 2, 2021. It was supposed to be fixed as of version 2.21.1.13 of the app released in February 2021 by introducing two new verification processes on the image source and the image filter related to the backdoor.

A chain of different events could cause memory corruption in the app, failures, and execution of malicious code. The bug was linked to a problem in a registry library used in versions before 2.20.111 of WhatsApp Messenger and WhatsApp Business for iOS. To cause the failure, different scenarios were necessary in a certain order, among them, receiving an animated sticker while placing a video call on hold.

A glitch with the incorrect authorization of the screen lock feature in the iOS versions of WhatsApp Messenger and WhatsApp Messenger Business before version 2.20.100 made it possible to use Siri to manage the application even after locking the phone.

By analyzing the content of RTP extension headers, it was possible to execute arbitrary code and cause an overflow in the WhatsApp stack.

By processing poorly formed local videos with E-AC-3 audio streams, it was possible to enable off-limit writing and cause a buffer overflow.

An error in the Media ContentProvider URIs (Uniform Resource Identifier) used to open attachments in third-party applications caused them to be generated sequentially, meaning that a malicious third-party app could open the file and guess the URIs of previously opened attachments.

An error in path validation when sending DOCX, XLX, and PPTX files designed as attachments to messages allowed overwriting of cross directory files.

When decompressing a regular DOCX, PPTX, or XLSX document from the Office suite, it was possible to cause a denial of service as a result of a lack of memory, which requires that the phone number sending the file was not in our contact list.

A failure to perform quick searches on a heavily forwarded message could send the user to the Google search service using simple HTTP.

By sending a large message containing a URL, it was possible to block the iOS client by causing the app to freeze when processing the message.

An attacker could have used the push to talk function of sending messages to execute arbitrary malicious code.

Through video calls, a user could enable off-limit writing on 32-bit devices.

A problem with URL validation allowed stickers to be sent with URL links that opened automatically without the user's permission.

A security feature omission problem in versions of WhatsApp Desktop prior to v0.3.4932 could have allowed the escape of the test zone in Electron and the escalation of privileges if combined with a remote code execution vulnerability within the test zone rendering process.

It enabled off-limits writing through video transmissions designed to act on response.

Through the live location messages, an attacker could have allowed cross-site scripting via a link.

A vulnerability that combines WhatsApp Desktop and WhatsApp for iPhone makes it possible, by a victim's click on a preview of a link designed for this purpose, to create scripts between sites and read local files.

Using WhatsApp Web, Google Chrome, and a remote server in Python, the attacker can modify the name of the participant in a group and cause crashes by entering an infinite loop. The only solution was to reinstall the app, with the consequent loss of group data.

By sending a contact and then downloading an MP4 file along with its metadata, memory was corrupted and a DoS or RCE attack was generated. Attackers could spy on data and steal files remotely.

A stack buffer overflow error is found in an Android library, specifically called libpl_droidsonroids_gif before its version 1.2.19 that could allow a remote attacker to run arbitrary code and cause a denial of service. The error could affect versions of WhatsApp Messenger Android prior to version 2.19.291.

A bug in an Android library related to GIFs contained a double vulnerability in the DDGifSlurp function. Through this vulnerability, remote attackers could execute code and cause a denial of service by analyzing GIFs specifically designed for that purpose.

An attacker could use the EXIF tags of the WEBP-type images to write off-limits and overflow the media analysis libraries.

Although WhatsApp reported having solved this vulnerability, initially reported in August 2018, the same researchers discover that the problem has not been solved and it is still possible to manipulate messages and make them look real.

A problem in the check and input process allowed malicious files to be sent to users that were displayed with an incorrect extension.

An error was detected whereby WhatsApp and Telegram media files were visible to each other via SD card storage. In this way, it was possible to modify a file or document before it was sent.

A security flaw allowed espionage through phone calls. It is suspected that the cybersecurity company NSO took advantage of the error to offer an espionage tool on a commercial level. Upon receiving a call and without having to answer it, spy software was installed. The calls could leave no trace. Journalists, political dissidents, diplomats, and members of different governments, were victims of the software called Pegasus, later confirmed by WhatsApp to have affected around 1400 people.

An error in the development logic allowed someone with access to the account to retrieve previously sent messages. In any case, it was necessary to know the metadata of those messages, that in theory are not publicly available.

Writing error outside the space assigned to the stack when receiving calls, the amount of data being passed was not properly considered in the stack assignment.

In WhatsApp for iOS, a failure in the sizing process of analyzing packets in the sender when receiving a call could cause a stack-based overflow.

RTP implementation problems allow taking control of a client through a video call designed for that purpose. It affects Android and iOS, not WhatsApp Web as it uses WebRTC for this function.

A security breach detected by an external company allowed criminals to intercept and manipulate sent messages. The error made it possible to change a participant's response, quote messages from people who had not written those texts, or send messages to members of groups that, although seemingly group-based, were only visible to that user.

MULTIDOTS Add Social Share Messenger Buttons WhatsApp and Viber 1.0.8 Plugin for WordPress presents a bug allowing a phishing or social engineering attacker to get a WordPress site administrator to change the Plugin's settings using Cross-Site Request Forgery (CSRF) in wp-admin/admin-post.php.

Users on social networks warn that a blocked user is able to continue sending messages. The error appears to be related to an update of the WhatsApp mobile clients for both Android and iPhone, and would be resolved shortly thereafter by a new update.

Incorrect analysis of the RTP extension headers made out-of-bounds reading possible.

In WhatsApp for Android, a failure in the sizing process of analyzing packets in the sender when receiving a call could cause a stack-based overflow.

Researcher Rob Heaten discovers a bug in WhatsApp Web that allows monitoring of contact activity. By using a Chrome extension, it is possible to record the connection times even though they are hidden from view in order to compare the information with other contacts to establish patterns, routines, and even conversations held between them.

German researchers warn of a bug whereby a person with access to WhatsApp's servers can self-invite in group chats. From Facebook, they do not give it enough importance, since as it has been said it is necessary to have access to the servers, which is very hard, and in addition, the participants of the groups can see that a new person has joined with no invitation. They also do not have access to previously sent messages.

WhatsApp for Android does not delete sent and received files from the device's SD card when a chat is deleted or the app is uninstalled. The data on the SD card is stored without encryption and is accessible to other applications with storage access permissions. According to Facebook, this is not an error, but the expected performance to allow users to export data.

A vulnerability made it possible to send messages or videos that were normal in the preview but contained HTML code, capable of loading malware through the browser. In this way, it was possible to take full control of the user's account, read their messages, send them, or view the multimedia content. The vulnerability was reported on March 8 of that same year, one week earlier. When it was made public it was already fixed.

German researcher Tobias Boelter discovers an error in the app's end-to-end encryption. When generating the security keys using the Open Whisper Systems Signal protocol, it is discovered that WhatsApp can force the creation of new keys for offline users. Many security experts believe that this error is not such, and in fact, the media The Guardian, that initially published the error, retracted its words.

After the arrival of message encryption, a researcher discovered a flaw in the SQL libraries that would allow us to track deleted conversations with our contacts. According to their analysis, it would only be possible to completely delete a conversation by deleting and reinstalling the app.

A Russian computer security company discovers how it is possible to spy on conversations using the security holes of the SS7 protocol. By connecting to the network node that serves the device and taking advantage of the error, they could steal the authentication SMS and impersonate the participants. This could happen as long as the default security settings were used, since the option "Show security notifications" in the settings was not activated, which could warn the user of a problem. In any case, it is more protocol error than WhatsApp.

Using the web client on a PC, an attacker could send a vCard with the malicious code of malware and install it directly on the computer.

A computer engineering student notices that by using an iPhone and a Linux computer, he can extract sent and received files and contacts.

A failure in the user identification process allowed an attacker to access our account. By installing WhatsApp on a second device, knowing the victim's phone number, and having access to their phone, it was possible to steal the account. To do this, a new installation is started with the victim's number, the verification code is requested through a call on the mobile that we can answer without unlocking the phone and use that code on the second client. Until the victim can recover the use of his account, a variable amount of minutes is spent that can be used to spy on all conversations.

A remote attacker could use CoreText to trigger a denial of service attack using Unicode text. By sending several characters that were not correctly assimilated by the notification, the message caused the phone to restart.

WhatsApp's verification process makes it possible for a person who knows our phone number to steal our account if we have an active mailbox. Simply install WhatsApp and start registering the number when the victim may not be looking at the phone. When the verification call is not answered, WhatsApp leaves the message in the voice mailbox if it is active, a mailbox that can be called to know the verification code, and take control of the account.

Indrajeet Buyhan discovers two security and privacy flaws On the one hand, he shows how users' profile photos are visible even when we do not have the user in our contact list. Anyone can see our photo even if we specify in the settings that they cannot do it. The second error is related to the synchronization of WhatsApp Web and mobile clients: when you delete a photo in a conversation, it becomes blurred on the mobiles and inaccessible but is still available in the web version of the client.

Two teenagers discover a bug that caused an error in the app by sending a text message with a special set of very small characters (barely 2kb), making it impossible to access that conversation. It was not an extremely serious security flaw, but it allowed any conversation to be corrupted by forcing it to be deleted and a new conversation to be started. Fixed in update 2.11.468.

A group of researchers from the University of New Haven detects a security flaw where messages with the location of contact are sent without encryption, allowing them to intercept the content of those messages and know the real position of contact using a man-in-the-middle attack with programs like WireShark.

A Dutch computer engineer warns that the WhatsApp database is stored on the devices' SD card and that any app with access to that SD card could get the file. In a transparent process, attackers can copy the database and upload it to a server. This database was encrypted using SQLite3, but it was possible to decrypt it using a Phyton and WhatsApp Xtract script. According to WhatsApp, in a note released days later, these reports were exaggerated: responsible use of the software and the device, as in any other circumstance, should be enough to avoid becoming victims of an attack.

Two researchers present at the RootedCon 2014 a proof of concept that demonstrates that it is possible to forge WhatsApp messages without leaving a trace.

The introduction of new image download functionality associated with URL link sharing would allow an attacker to know a person's IP address, and therefore, their location. Also, other useful data for performing denial of service attacks.

Pablo San Emeterio and Jaime Sánchez, publish an investigation that explains in detail how WhatsApp's message encryption system works, and how, with this information, it is possible to intercept sent messages and forge them for the final recipient. As a solution, they invented the WhatsApp Privacy Guard app. The problem is in the use of the same key to encrypt two messages, a failure of the RC4 encryption protocol.

Researcher Thijs Alkemade detects two weaknesses in WhatsApp's message encryption Firstly, he discovers that someone with access to the messages might be able to decipher their content despite the encryption used. Secondly, the use of the RC4 key allows for man-in-the-middle attacks capable of intercepting packets.

Alejandro Amo publishes the web service WhatsApp Voyeur as proof that anyone can get information from WhatsApp profile data without having the user in the contact list, such as photos, statuses, or dates. The service stopped working because of legal warnings. The reality is that this is possible just by adding a contact to our contact list.

WhatsApp Sniffer app is launched, allowing to spy on chats. In August 2012 it was announced that WhatsApp would start encrypting messages, without specifying the protocol. The phone numbers were still visible.

A web service called WhatsAppStatus is launched, which takes advantage of different vulnerabilities detected the previous month to allow changing the status of our contacts in a random way. The error would be corrected on January 6th.

Numerous vulnerabilities related to user status in the app, registration process, and plain text protocol are discovered, making it very easy to intercept them.

A group of researchers launches WhatsApp Xtract, a software capable of extracting and decrypting the database that WhatsApp locally stores on the devices. According to reports, this encrypted database, that stores all incoming and outgoing messages, can be accessed on mobile devices with root or jailbreak, and can be easily decoded as it always uses the same static and encrypted key.

A researcher discovers that WhatsApp sends all the information unencrypted through the network, so any user can be a victim of spying through a man-in-the-middle attack, which by using a sniffer software such as WireShark, is able to see the data passing through port 443. WhatsApp implicitly recognized that there was no extra layer of security by responding that the security protocols applied were those of Wi-Fi and 3G networks.

Security issues in the phone number verification or authentication process. A developer locates a bug that allowed a user's account to be hijacked remotely.