WhatsApp launches new website for security disclosure.
The website lists 6 vulnerabilities, but they have been patched.
This is an effort towards more transparency by the social media giant.
Facebook-owned messaging service WhatsApp has launched its own security disclosure portal. As the name would suggest, the website’s purpose seems to be the official disclosure of vulnerabilities found on WhatsApp to the general public. The launch of the website finds 6 new vulnerabilities already listed on it.
According to the WhatsApp security bulletin, five of the six vulnerabilities were fixed on the day of discovery. WhatsApp has said that in their audit, they have not found any evidence of these vulnerabilities being exploited by wild elements. 3 of the security vulnerabilities were brought to the company’s attention via the bug bounty program while the other three were discovered during regular code audits performed internally. One of the vulnerabilities in question could have resulted in a URL being malformed, making WhatsApp download an image from a sender-controlled URL, without user permission. This vulnerability was noted only on the Android versions of WhatsApp and WhatsApp Business. Another vulnerability alludes to how a “specially crafted video stream” could have been used to execute an out-of-bounds write operation on Android-based smartphones.
The new security focussed website comes as part of an effort by Facebook to be more transparent about many things, including security. While WhatsApp has remained mostly free from serious security lapses, one blot on the company's otherwise stellar record is the one where the Israeli NSO Group exploited a vulnerability to infected smartphones of high-value individuals and human rights activists with their Pegasus worm. Pegasus embeds itself into the operating system of a target smartphone, giving the hacker full control over the device and the data stored on it. It was alleged that Jeff Bezos had fallen prey to this attack as well last year. The NSO Group has denied all such allegations.
Besides addressing vulnerabilities, the WhatsApp team is also busy trying to incorporate new features into the app. Rumour is that the company may be testing a way for users to sync their chat history across platforms. Beta releases for WhatsApp also suggests that the company may be bringing back vacation mode and a whole lot more.