WhatsApp reported sharp rise in security flaws in 2019

Cybersecurity

2020-01-28 / www.ft.com




WhatsApp reported a sharp escalation in the number of vulnerabilities it found on its platform in 2019, raising fresh questions about the security of an app that has often been hailed for safe private messaging.
Data from the US National Vulnerability Database, a US government repository of flaws, shows that the Facebook-owned messaging service disclosed 12 vulnerabilities last year - seven of which were classified as "critical" - a significant jump from the past few years, when just one or two medium-level vulnerabilities were disclosed.
The platform came under increased scrutiny last week after a report commissioned by Jeff Bezos, Amazon chief executive, alleged that a WhatsApp account used by Saudi Crown Prince Mohammed bin Salman hacked the Amazon founder's iPhone in 2018 by sending a malicious video message.
However, Mr Bezos's investigators were unable to uncover enough evidence to show whether weaknesses in either the messaging service or the iPhone X were exploited.
When asked about the hack, Facebook pointed the finger at iPhone-maker Apple. On Friday, Nick Clegg, Facebook's head of communications, said that he believed something "affected the phone operating system" and that he was "very, very confident" that WhatsApp's encryption technology had not been exploited.
But the jump in WhatsApp vulnerabilities has highlighted other weaknesses that appear to have gone unaddressed for some time, experts say.
"The fact that they found . . . serious vulnerabilities in 2019 but didn't find them before doesn't mean they just appeared," said Marc Rogers, vice-president of cyber security at Okta and head of the security team for the world's largest hacking conference, Def Con. "Many of those were likely sitting in there all that time, and there's a very high chance they were being [exploited]."
He added that the data "strongly suggests" the company had been complacent about the security of the app until fairly recently. "You see this often: a flurry of vulnerabilities being pulled out of an app because someone is suddenly paying attention because they are scared," he said.
Others have criticised Facebook for appearing to prematurely shift responsibility on to Apple.
"For Facebook to blame Apple, that's not responsible. They need to be able to fix their vulnerabilities as well," said Ron Gula, a former employee of the US National Security Agency who founded cyber security group Tenable.

WhatsApp, which was acquired by Facebook in 2014, said it had stepped up its public reporting of flaws last year as part of a "commitment to transparency and support for security experts that help protect people from similar threats". The vulnerabilities reported in the database were all fixed prior to disclosure.
"The issue at hand remains the proliferation of spyware that takes advantage of vulnerabilities, including those within the operating systems that power our mobile phones," the company added.
In its report, FTI Consulting, the lobbying group hired by Mr Bezos to carry out the investigation, was unable to identify any spyware, the malicious software that infiltrates devices to covertly extract sensitive information without a user's knowledge. But the investigators said they believed some had been planted on the phone via an encrypted media server on the WhatsApp network.
The report suggested that Mr Bezos could have been the victim of malware such as the Pegasus-3 product sold by Israeli company NSO Group, which last year was discovered to have been exploiting a WhatsApp flaw, or the Galileo spyware sold by Italian company Hacking Team.
Others, such as security expert Bruce Schneier, suggested that WhatsApp was merely a conduit that then allowed the hackers to exploit operating system vulnerabilities, adding that no company can effectively police all the traffic that flows over its network.
Researchers have called for further investigation into the matter, with some questioning the capabilities of Mr Bezos's investigators. Apple and WhatsApp declined to comment.

HIGHLIGHTS


Top