WhatsApp Security

Our first and foremost concern, and also the main worry of our users, is the security and privacy of communications over WhatsApp
61 Security flaws
History
Héctor Hernández, 10/28/2020 (Updated 11/06/2020). Translated by Manuel Sánchez

2020

IOS
11/05/2020
Use Siri to manage WhatsApp iOS even when the screen is locked
A glitch with the incorrect authorization of the screen lock feature in the iOS versions of WhatsApp Messenger and WhatsApp Messenger Business before version 2.20.100 made it possible to use Siri to manage the application even after locking the phone.
IOS
11/05/2020
A library error could corrupt the memory, enable code execution, and cause other failures in the app
A chain of different events could cause memory corruption in the app, failures, and execution of malicious code. The bug was linked to a problem in a registry library used in versions before 2.20.111 of WhatsApp Messenger and WhatsApp Business for iOS. To cause the failure, different scenarios were necessary in a certain order, among them, receiving an animated sticker while placing a video call on hold.
IOS
10/06/2020
Application blocking by sending long messages
By sending a large message containing a URL, it was possible to block the iOS client by causing the app to freeze when processing the message.
Android
10/06/2020
Certain searches may open Google using simple HTTP
A failure to perform quick searches on a heavily forwarded message could send the user to the Google search service using simple HTTP.
IOS
10/06/2020
Denial of service through DOCX, PPTX, and XLSX files
When decompressing a regular DOCX, PPTX, or XLSX document from the Office suite, it was possible to cause a denial of service as a result of a lack of memory, which requires that the phone number sending the file was not in our contact list.
IOS
10/06/2020
Overwriting cross directory files
An error in path validation when sending DOCX, XLX, and PPTX files designed as attachments to messages allowed overwriting of cross directory files.
Android
10/06/2020
Malicious apps with possible access to attached content
An error in the Media ContentProvider URIs (Uniform Resource Identifier) used to open attachments in third-party applications caused them to be generated sequentially, meaning that a malicious third-party app could open the file and guess the URIs of previously opened attachments.
Android
10/06/2020
Buffer overflow from local videos encoded with a certain audio format
By processing poorly formed local videos with E-AC-3 audio streams, it was possible to enable off-limit writing and cause a buffer overflow.
Android IOS
10/06/2020
Execution of arbitrary code to cause a stack overflow
By analyzing the content of RTP extension headers, it was possible to execute arbitrary code and cause an overflow in the WhatsApp stack.
Mac Windows
09/03/2020
Input validation problem
Through the live location messages, an attacker could have allowed cross-site scripting via a link.
Android
09/03/2020
Buffer overflow
It enabled off-limits writing through video transmissions designed to act on response.
Mac Windows
09/03/2020
Omission of security features in WhatsApp Desktop
A security feature omission problem in versions of WhatsApp Desktop prior to v0.3.4932 could have allowed the escape of the test zone in Electron and the escalation of privileges if combined with a remote code execution vulnerability within the test zone rendering process.
Android
09/03/2020
Stickers linked to URLs without permission
A problem with URL validation allowed stickers to be sent with URL links that opened automatically without the user's permission.
Android IOS
09/03/2020
Allowed off-limit writing on 32-bit devices
Through video calls, a user could enable off-limit writing on 32-bit devices.
Android IOS
09/03/2020
Execution of malicious code through push to talk voice messages
An attacker could have used the push to talk function of sending messages to execute arbitrary malicious code.
IOS Mac Windows
01/21/2020
Vulnerability in link preview using Desktop and iPhone
A vulnerability that combines WhatsApp Desktop and WhatsApp for iPhone makes it possible, by a victim's click on a preview of a link designed for this purpose, to create scripts between sites and read local files.
Source:

2019

Android IOS Mac Windows WebApp
12/17/2019
Crashes of the app in group members
Using WhatsApp Web, Google Chrome, and a remote server in Python, the attacker can modify the name of the participant in a group and cause crashes by entering an infinite loop. The only solution was to reinstall the app, with the consequent loss of group data.
Source:
Android
11/14/2019
Hacking the app using MP4 files
By sending a contact and then downloading an MP4 file along with its metadata, memory was corrupted and a DoS or RCE attack was generated. Attackers could spy on data and steal files remotely.
Source:
Android
10/23/2019
Buffer overflow in Android libraries
A stack buffer overflow error is found in an Android library, specifically called libpl_droidsonroids_gif before its version 1.2.19 that could allow a remote attacker to run arbitrary code and cause a denial of service. The error could affect versions of WhatsApp Messenger Android prior to version 2.19.291.
Source:
Android
10/03/2019
Execution of remote code by creating and sending GIFs
A bug in an Android library related to GIFs contained a double vulnerability in the DDGifSlurp function. Through this vulnerability, remote attackers could execute code and cause a denial of service by analyzing GIFs specifically designed for that purpose.
Source:
Android IOS
09/27/2019
Attacks using EXIF tags on WEBP images
An attacker could use the EXIF tags of the WEBP-type images to write off-limits and overflow the media analysis libraries.
Source:
Android IOS Mac Windows WebApp
08/08/2019
Code failure allows message manipulation (II)
Although WhatsApp reported having solved this vulnerability, initially reported in August 2018, the same researchers discover that the problem has not been solved and it is still possible to manipulate messages and make them look real.
Source:
Mac Windows
07/16/2019
Error when performing correct input validation
A problem in the check and input process allowed malicious files to be sent to users that were displayed with an incorrect extension.
Source:
Android
07/15/2019
Media File Jackin
An error was detected whereby WhatsApp and Telegram media files were visible to each other via SD card storage. In this way, it was possible to modify a file or document before it was sent.
Source:
Android IOS Windows
05/14/2019
Security flaw with possible attacks through phone calls. Vulnerability in the WhatsApp VoIP buffer stack Remote code execution through RTCP packets sent to a number by phone calls
A security flaw allowed espionage through phone calls. It is suspected that the cybersecurity company NSO took advantage of the error to offer an espionage tool on a commercial level. Upon receiving a call and without having to answer it, spy software was installed. The calls could leave no trace. Journalists, political dissidents, diplomats, and members of different governments, were victims of the software called Pegasus, later confirmed by WhatsApp to have affected around 1400 people.
Android
05/10/2019
Recovery of previously sent messages
An error in the development logic allowed someone with access to the account to retrieve previously sent messages. In any case, it was necessary to know the metadata of those messages, that in theory are not publicly available.
Source:
IOS
01/28/2019
Stack overflow when receiving calls on iPhone
In WhatsApp for iOS, a failure in the sizing process of analyzing packets in the sender when receiving a call could cause a stack-based overflow.
Source:
Android IOS Windows
01/28/2019
Stack error on failure to calculate transmitted data when receiving calls
Writing error outside the space assigned to the stack when receiving calls, the amount of data being passed was not properly considered in the stack assignment.
Source:

2018

Android IOS
10/10/2018
Memory heap overflow when receiving video calls
RTP implementation problems allow taking control of a client through a video call designed for that purpose. It affects Android and iOS, not WhatsApp Web as it uses WebRTC for this function.
Android IOS Mac Windows WebApp
08/07/2018
Code failure allows message manipulation
A security breach detected by an external company allowed criminals to intercept and manipulate sent messages. The error made it possible to change a participant's response, quote messages from people who had not written those texts, or send messages to members of groups that, although seemingly group-based, were only visible to that user.
Source:
Android IOS Mac Windows WebApp
05/31/2018
Content sharing button plugin failed
MULTIDOTS Add Social Share Messenger Buttons WhatsApp and Viber 1.0.8 Plugin for WordPress presents a bug allowing a phishing or social engineering attacker to get a WordPress site administrator to change the Plugin's settings using Cross-Site Request Forgery (CSRF) in wp-admin/admin-post.php.
Source:
Android IOS
05/23/2018
Receiving messages from blocked contacts
Users on social networks warn that a blocked user is able to continue sending messages. The error appears to be related to an update of the WhatsApp mobile clients for both Android and iPhone, and would be resolved shortly thereafter by a new update.
Android
01/28/2018
Stack overflow when receiving calls on Android
In WhatsApp for Android, a failure in the sizing process of analyzing packets in the sender when receiving a call could cause a stack-based overflow.
Source:
Android IOS Windows
01/28/2018
Error in RTP headers
Incorrect analysis of the RTP extension headers made out-of-bounds reading possible.
Source:

2017

WebApp
10/09/2017
Tracking contact activity on WhatsApp Web
Researcher Rob Heaten discovers a bug in WhatsApp Web that allows monitoring of contact activity. By using a Chrome extension, it is possible to record the connection times even though they are hidden from view in order to compare the information with other contacts to establish patterns, routines, and even conversations held between them.
Source:
Android IOS Mac Windows WebApp
07/01/2017
Group self-invitations
German researchers warn of a bug whereby a person with access to WhatsApp's servers can self-invite in group chats. From Facebook, they do not give it enough importance, since as it has been said it is necessary to have access to the servers, which is very hard, and in addition, the participants of the groups can see that a new person has joined with no invitation. They also do not have access to previously sent messages.
Android
04/09/2017
Information not removed from the SD card and accessible to other apps
WhatsApp for Android does not delete sent and received files from the device's SD card when a chat is deleted or the app is uninstalled. The data on the SD card is stored without encryption and is accessible to other applications with storage access permissions. According to Facebook, this is not an error, but the expected performance to allow users to export data.
WebApp
03/15/2017
Account theft through photos or videos
A vulnerability made it possible to send messages or videos that were normal in the preview but contained HTML code, capable of loading malware through the browser. In this way, it was possible to take full control of the user's account, read their messages, send them, or view the multimedia content. The vulnerability was reported on March 8 of that same year, one week earlier. When it was made public it was already fixed.
Source:
Android IOS Mac Windows WebApp
01/13/2017
Security flaw that enables messages to be read
German researcher Tobias Boelter discovers an error in the app's end-to-end encryption. When generating the security keys using the Open Whisper Systems Signal protocol, it is discovered that WhatsApp can force the creation of new keys for offline users. Many security experts believe that this error is not such, and in fact, the media The Guardian, that initially published the error, retracted its words.

2016

IOS
08/02/2016
Conversations are not deleted
After the arrival of message encryption, a researcher discovered a flaw in the SQL libraries that would allow us to track deleted conversations with our contacts. According to their analysis, it would only be possible to completely delete a conversation by deleting and reinstalling the app.
Android IOS Mac Windows WebApp
05/06/2016
Message Encryption Failure
A Russian computer security company discovers how it is possible to spy on conversations using the security holes of the SS7 protocol. By connecting to the network node that serves the device and taking advantage of the error, they could steal the authentication SMS and impersonate the participants. This could happen as long as the default security settings were used, since the option "Show security notifications" in the settings was not activated, which could warn the user of a problem. In any case, it is more protocol error than WhatsApp.

2015

WebApp
09/08/2015
Malware installation on PC using WhatsApp Web and a vCard
Using the web client on a PC, an attacker could send a vCard with the malicious code of malware and install it directly on the computer.
Source:
IOS
07/30/2015
Access to other people's chats on iOS devices
A computer engineering student notices that by using an iPhone and a Linux computer, he can extract sent and received files and contacts.
Source:
Android IOS
05/30/2015
Account theft through another device
A failure in the user identification process allowed an attacker to access our account. By installing WhatsApp on a second device, knowing the victim's phone number, and having access to their phone, it was possible to steal the account. To do this, a new installation is started with the victim's number, the verification code is requested through a call on the mobile that we can answer without unlocking the phone and use that code on the second client. Until the victim can recover the use of his account, a variable amount of minutes is spent that can be used to spy on all conversations.
IOS
05/26/2015
A character-related bug restarts the phone
A remote attacker could use CoreText to trigger a denial of service attack using Unicode text. By sending several characters that were not correctly assimilated by the notification, the message caused the phone to restart.
Source:
Android IOS Windows
05/13/2015
Account hacking through voice mail
WhatsApp's verification process makes it possible for a person who knows our phone number to steal our account if we have an active mailbox. Simply install WhatsApp and start registering the number when the victim may not be looking at the phone. When the verification call is not answered, WhatsApp leaves the message in the voice mailbox if it is active, a mailbox that can be called to know the verification code, and take control of the account.
WebApp
01/29/2015
An error allows seeing the photos of users that we do not have in the contact list/deleted images are still visible in WhatsApp Web
Indrajeet Buyhan discovers two security and privacy flaws On the one hand, he shows how users' profile photos are visible even when we do not have the user in our contact list. Anyone can see our photo even if we specify in the settings that they cannot do it. The second error is related to the synchronization of WhatsApp Web and mobile clients: when you delete a photo in a conversation, it becomes blurred on the mobiles and inaccessible but is still available in the web version of the client.

2014

Android
12/01/2014
Sending messages capable of corrupting the conversation and forcing its deletion
Two teenagers discover a bug that caused an error in the app by sending a text message with a special set of very small characters (barely 2kb), making it impossible to access that conversation. It was not an extremely serious security flaw, but it allowed any conversation to be corrupted by forcing it to be deleted and a new conversation to be started. Fixed in update 2.11.468.
Android
04/17/2014
Sending locations without encryption
A group of researchers from the University of New Haven detects a security flaw where messages with the location of contact are sent without encryption, allowing them to intercept the content of those messages and know the real position of contact using a man-in-the-middle attack with programs like WireShark.
Source:
Android
03/11/2014
WhatsApp database theft
A Dutch computer engineer warns that the WhatsApp database is stored on the devices' SD card and that any app with access to that SD card could get the file. In a transparent process, attackers can copy the database and upload it to a server. This database was encrypted using SQLite3, but it was possible to decrypt it using a Phyton and WhatsApp Xtract script. According to WhatsApp, in a note released days later, these reports were exaggerated: responsible use of the software and the device, as in any other circumstance, should be enough to avoid becoming victims of an attack.
Android IOS Windows
03/08/2014
Security flaw enables forging of messages
Two researchers present at the RootedCon 2014 a proof of concept that demonstrates that it is possible to forge WhatsApp messages without leaving a trace.

2013

Android
11/22/2013
It is possible to know the location of a contact through its IP address
The introduction of new image download functionality associated with URL link sharing would allow an attacker to know a person's IP address, and therefore, their location. Also, other useful data for performing denial of service attacks.
Android IOS Windows
11/03/2013
It is possible to decrypt messages sent from WhatsApp
Pablo San Emeterio and Jaime Sánchez, publish an investigation that explains in detail how WhatsApp's message encryption system works, and how, with this information, it is possible to intercept sent messages and forge them for the final recipient. As a solution, they invented the WhatsApp Privacy Guard app. The problem is in the use of the same key to encrypt two messages, a failure of the RC4 encryption protocol.
Android IOS Windows
10/08/2013
WhatsApp encryption problems
Researcher Thijs Alkemade detects two weaknesses in WhatsApp's message encryption Firstly, he discovers that someone with access to the messages might be able to decipher their content despite the encryption used. Secondly, the use of the RC4 key allows for man-in-the-middle attacks capable of intercepting packets.
Source:
Android IOS Windows
01/17/2013
Security flaw triggers the creation of WhatsApp Voyeur
Alejandro Amo publishes the web service WhatsApp Voyeur as proof that anyone can get information from WhatsApp profile data without having the user in the contact list, such as photos, statuses, or dates. The service stopped working because of legal warnings. The reality is that this is possible just by adding a contact to our contact list.

2012

Android IOS Windows
05/04/2012
WhatsApp Sniffer, plain text messages
WhatsApp Sniffer app is launched, allowing to spy on chats. In August 2012 it was announced that WhatsApp would start encrypting messages, without specifying the protocol. The phone numbers were still visible.
Android IOS Windows
01/03/2012
WhatsAppStatus appears, allowing you to change the status of any contact
A web service called WhatsAppStatus is launched, which takes advantage of different vulnerabilities detected the previous month to allow changing the status of our contacts in a random way. The error would be corrected on January 6th.
Source:

2011

Android IOS Windows
12/19/2011
Irregular status updates, logging errors, and plain text related errors
Numerous vulnerabilities related to user status in the app, registration process, and plain text protocol are discovered, making it very easy to intercept them.
Android IOS
12/10/2011
Whatsapp Xtract is born, it is possible to steal a user's WhatsApp database
A group of researchers launches WhatsApp Xtract, a software capable of extracting and decrypting the database that WhatsApp locally stores on the devices. According to reports, this encrypted database, that stores all incoming and outgoing messages, can be accessed on mobile devices with root or jailbreak, and can be easily decoded as it always uses the same static and encrypted key.
Android IOS Windows
05/17/2011
Contact information and messages are sent as plain text
A researcher discovers that WhatsApp sends all the information unencrypted through the network, so any user can be a victim of spying through a man-in-the-middle attack, which by using a sniffer software such as WireShark, is able to see the data passing through port 443. WhatsApp implicitly recognized that there was no extra layer of security by responding that the security protocols applied were those of Wi-Fi and 3G networks.
Android
05/01/2011
A security flaw enabled the hijacking of user accounts
Security issues in the phone number verification or authentication process. A developer locates a bug that allowed a user's account to be hijacked remotely.