PSA: I can’t believe this hasn’t made it on the Tech News yet. WhatsApp urges its users to immediately update the said app after finding out that Israeli hackers have allegedly taken advantage of a vulnerability that can spy on iPhones. What’s worse is that all a hacker needs to do is call the target and the user doesn’t even need to answer.
QuoteThe spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.
Attackers could transmit the malicious code to a target’s device by calling the user and infecting the call whether or not the recipient answered the call. Logs of the incoming calls were often erased, according to the report.
WhatsApp said that the vulnerability was discovered this month, and that the company quickly addressed the problem within its own infrastructure. An update to the app was published on Monday, and the company is encouraging users to upgrade out of an abundance of caution.
Which makes me think, are Telegram and iMessage vulnerable too? Is it possible that the design flaw is that your username is your phone number?
-
@captain_to_fire I guess the real question then becomes, "Is this a problem with Whatsapp's code or is it an phone OS security hole?"
-
The vulnerability is a buffer overflow in the WhatsApp VOIP stack on iOS, @captain_to_fire and @Techstorm970, as documented in the CVE that Facebook published for it. They've identified the root of the cause and have since patched it, as the article states. No need to go conspiracy mode on an implementation flaw.
-
IT'S ALL A CONSPIRACY TO TAKE US DOWN! [SLAMS FIST ON DESK]
-
Quote
No need to go conspiracy mode on an implementation flaw.
Well I was thinking that having your phone number as your only username to use WhatsApp might be a design flaw in security. I could be wrong, but you can be a target already by having a single phone number unlike having an actual username.
-
A security (researcher?) manager by the name of Adam Brown at Synopsis is claiming it's actually a vulnerability in libssh (this is what a couple articles say) but there is no link to a statement by him nor can I find anyone else stating this. Also it affects Android versions, Windows Phone, and Tizen (but slightly older version numbers). News is so new with little reporting that it's hard to find concrete information about it. Not even NIST or Mitre have published the CVE information yet, but the number is reserved in their databases.
- captain_to_fire and ARikozuM
- 2