PSA: I can’t believe this hasn’t made…

PSA: I can’t believe this hasn’t made it on the Tech News yet. WhatsApp urges its users to immediately update the said app after finding out that Israeli hackers have allegedly taken advantage of a vulnerability that can spy on iPhones. What’s worse is that all a hacker needs to do is call the target and the user doesn’t even need to answer.

https://www.theguardian.com/technology/2019/may/13/whatsapp-urges-users-to-upgrade-after-discovering-spyware-vulnerability

Quote

The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.

Attackers could transmit the malicious code to a target’s device by calling the user and infecting the call whether or not the recipient answered the call. Logs of the incoming calls were often erased, according to the report.

WhatsApp said that the vulnerability was discovered this month, and that the company quickly addressed the problem within its own infrastructure. An update to the app was published on Monday, and the company is encouraging users to upgrade out of an abundance of caution.

Which makes me think, are Telegram and iMessage vulnerable too? Is it possible that the design flaw is that your username is your phone number?

May 14, 2019

Techstorm970

Quote

are Telegram and iMessage vulnerable too?

iMessage isn't because calls are done through the "Phone" app on iPhones.

Telegram idk...

May 14, 2019
captain_to_fire

Yeah but both FaceTime and iMessage is tied to an individual’s phone number just like WhatsApp and Telegram, and back then I have a bad feeling that it can be a design flaw.

May 14, 2019
Techstorm970

@captain_to_fire I guess the real question then becomes, "Is this a problem with Whatsapp's code or is it an phone OS security hole?"

May 14, 2019
captain_to_fire

Since the advisory is to immediately update WhatsApp, it’s possible that the vulnerability is just the app but it’s possible that an iOS vulnerability also made it happen.

May 14, 2019
ARikozuM

This is the country we’ll support wholeheartedly... Tell me again why we can’t have free healthcare like they can?

May 14, 2019
2FA

The vulnerability is a buffer overflow in the WhatsApp VOIP stack on iOS, @captain_to_fire and @Techstorm970, as documented in the CVE that Facebook published for it. They've identified the root of the cause and have since patched it, as the article states. No need to go conspiracy mode on an implementation flaw.
May 14, 2019
Techstorm970, captain_to_fire and ARikozuM

2

1
Techstorm970

@2FA Thanks for the information.

@ARikozuM

Quote

This is the country we’ll support wholeheartedly... Tell me again why we can’t have free healthcare like they can?

What the f**k does that have to do with Whatsapp vulnerabilities???
May 14, 2019
ARikozuM

1
ARikozuM

IT'S ALL A CONSPIRACY TO TAKE US DOWN! [SLAMS FIST ON DESK]
May 14, 2019
Techstorm970

1
ARikozuM

Would the other solution be to delete Whatsapp?

May 14, 2019
captain_to_fire

@2FA

Quote

No need to go conspiracy mode on an implementation flaw.

Well I was thinking that having your phone number as your only username to use WhatsApp might be a design flaw in security. I could be wrong, but you can be a target already by having a single phone number unlike having an actual username.

May 14, 2019
captain_to_fire

But then, what do I know?
May 14, 2019
ARikozuM

1
2FA

A security (researcher?) manager by the name of Adam Brown at Synopsis is claiming it's actually a vulnerability in libssh (this is what a couple articles say) but there is no link to a statement by him nor can I find anyone else stating this. Also it affects Android versions, Windows Phone, and Tizen (but slightly older version numbers). News is so new with little reporting that it's hard to find concrete information about it. Not even NIST or Mitre have published the CVE information yet, but the number is reserved in their databases.
May 14, 2019
captain_to_fire and ARikozuM

2

Sign In

My Activity Streams