[ad_1]
Facebook ownership WhatsApp has revealed six vulnerabilities in the application that could have allowed attackers to send malicious code remotely via images, URLs and video calls. WhatsApp claims that these vulnerabilities are now fixed, but there is no official information on whether users were affected or not.
According to WhatsApp, a bug now identified as CVE-2020-1894 could have allowed arbitrary code to be executed when playing a specially crafted push-to-talk message. This was due to a write stack overflow in WhatsApp for Android prior to v2.20.35 and WhatsApp for iPhone prior to v2.20.30. The same problem was also present in the respective WhatsApp Business applications.
WhatsApp also had a URL validation problem. “WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have caused the recipient of a tag message containing deliberately malformed data to load an image from a sender controlled URL without user interaction, ”he explained.
WhatsApp also had “an input validation problem” in WhatsApp desktop versions prior to v0.3.4932. This problem could have allowed cross-site scripting clicking on a link from a specially crafted live location message said.
“A buffer overflow in WhatsApp for Android before v2.20.11 and WhatsApp Business for Android before v2.20.2 could have allowed out-of-bounds write via specially crafted video stream after receiving and replying to a malicious video call, “said WhatsApp while describing another problem with
All six vulnerabilities are reported on the WhatsApp security advisories website. This site will keep a log of all security updates and Common Vulnerabilities and Exposures (CVE). The purpose of this website is primarily to promote WhatsApp as a transparent entity and also to help security researchers better understand issues and bugs. In addition to explaining the details of the vulnerability, WhatsApp is letting users know how certain bugs could have been used by attackers. Furthermore, it clarifies that “the CVE descriptions are intended to help researchers understand technical scenarios and do not imply that users have been affected in this way.”
