whatsappWhatsApp today disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

According to The New York Times, attackers were able to insert malicious code into WhatsApp, allowing them to steal data, regardless of whether or not a WhatsApp phone call was answered.

Security researchers said that the spyware that took advantage of this flaw featured characteristics of the Pegasus spyware from NSO Group, which is normally licensed to governments who purchase the spyware for installing on the devices of individuals who are the target of an investigation.

Description:A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

The vulnerability was described by WhatsApp as "nontrivial to deploy, limiting it to advanced and highly motivated actors," but it's not clear how long the security flaw was available nor how many people were affected. It was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

WhatsApp engineers "worked around the clock" to address the vulnerability, and made a patch available on Monday. The initial vulnerability was discovered ten days ago after WhatsApp found abnormal voice calling activity following complaints from the aforementioned lawyer. WhatsApp says that it has notified the Department of Justice and a "number of human rights organizations" about the issue.

Update: Reader comments suggested that some of the wording in this article was confusing or misleading, so we have updated it to make sure the details of the vulnerability are clear. Specifically, this issue impacted WhatsApp, not the iOS operating system.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

Slix Avatar
70 months ago
Remember all the comments the other day about WhatsApp being more secure than iMessage?

:rolleyes:
Score: 25 Votes (Like | Disagree)
macfacts Avatar
70 months ago
Remember all the comments the other day about WhatsApp being more secure than iMessage?

:rolleyes:
So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug
Score: 10 Votes (Like | Disagree)
realtuner Avatar
70 months ago
So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug
Nah, not on iOS, it's so private and secure things like this or the carrier tracking situation could never be an iPhone issue. Yeah Privacy Timmy!
Two ridiculous comments. So if iOS is the problem, how come the fix was done via a patch to the WhatsApp App itself and also a server side update to WhatsApp? How come there's no updates for iOS or Android (since, you know, this exploit also worked with WhatsApp on Android) to fix this issue?

NVM, because Apple.
Score: 7 Votes (Like | Disagree)
Mascots Avatar
70 months ago
How did this vulnerability make it past the App Store review process? Do app reviewers take bribes to allow spy trash like this into apps?
This exploit is sideloaded and delivered to WhatsApp outside of the App Store.

The App Store itself does not vet apps for vulnerabilities (that would be impossible), but it does vet them for these types of warez directly.
[doublepost=1557803453][/doublepost]
So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug
I just searched a little and it looks like this exploit is scoped solely to WhatsApp's VOIP stack (and within the sandbox) and whatever WhatsApp had permissions for. It will access all of your photos, if you've allowed WhatsApp access, for example.

I can't find any evidence of any additional system exploiting, yet. But this seems why it's able to affect such a wide range of systems - it is spyware within WhatsApp itself.
Score: 7 Votes (Like | Disagree)
Marshall73 Avatar
70 months ago
not as bad as the FaceTime bug/exploit.
I’d say it’s arguably worse as they could remote install software to your phone which could do any number of things including scraping all of your information stored on the phone.
Score: 6 Votes (Like | Disagree)
killhippie Avatar
70 months ago
Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.
Israel makes loads of telecoms equipment for Europe and maybe even the USA under the name ECI. Now I don't use WhatsApp, never have but I do find it ironic that Huawei are being banned left right and centre yet ECI based equipment isn't, and now WhatsApp gets caught being a bad actor. I guess it depends on how friendly you are with your spying counterparts and what financial arrangements you have in place with them, as I'm sure every country knows exactly who is spying on who globally. It's good that iOS is so secure though, as Tim says what happens on your iPhone stays on your iPhone, oh hang on...
Score: 3 Votes (Like | Disagree)

Popular Stories

Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Friday September 13, 2024 2:40 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
Generic iOS 18 Feature Real Mock

Apple Shares Full List of Over 250 New Features and Changes Coming With iOS 18

Wednesday September 11, 2024 7:16 am PDT by
Following its iPhone 16 event on Monday, Apple shared a PDF on its website with a list of all new features and changes coming with iOS 18. The list includes many features that were already announced, including Apple Intelligence, new customization options for the Home Screen and Control Center, a redesigned Photos app, several enhancements to the Messages app, a Passwords app, and more....
iphone 16 pro models 1

Skipping the iPhone 16 Pro? Here's What's Rumored for iPhone 17 Pro

Wednesday September 11, 2024 8:20 am PDT by
Will you be skipping the iPhone 16 Pro and waiting another year to upgrade? If so, we already have some iPhone 17 Pro rumors for you. Below, we recap key new features rumored for the iPhone 17 Pro models so far: 24MP front camera for all iPhone 17 models: All four iPhone 17 models will feature an upgraded 24-megapixel front-facing camera, according to Apple supply chain analysts Ming-Chi...
iphone 16 pro colors 1

Here's When iPhone 16 Pre-Orders Begin in Every Time Zone

Thursday September 12, 2024 6:12 am PDT by
Pre-orders for the iPhone 16, ‌iPhone 16‌ Plus, iPhone 16 Pro, and ‌iPhone 16 Pro‌ Max are set to begin on Friday, September 13 at 5:00 a.m. Pacific Time, with the new devices set to become available in multiple countries around the world simultaneously. We've compiled pre-order times for various countries to help MacRumors readers be among the first to order. This list isn't...
iphone 16 pro apple intelligence

iPhone 16 Pro and Pro Max Shipping Estimates Extending Into October

Friday September 13, 2024 5:48 am PDT by
Apple began accepting pre-orders for all four new iPhone 16 models today, and shipping estimates for the iPhone 16 Pro and Pro Max on Apple's online store in the U.S. are already beginning to slip into October for many configurations. As of 6:45 a.m. Pacific Time, the iPhone 16 Pro and Pro Max were facing a 2-4 week shipping delay for some configurations on Apple's online store, with...
iphone 16 pro apple intelligence

Apple Intelligence Features Expected to Roll Out in This Order Between iOS 18.1 and iOS 18.4

Friday September 13, 2024 1:01 pm PDT by
iOS 18 will be released to the public on Monday, but the first Apple Intelligence features will not be available until iOS 18.1 is released in October. Apple Intelligence features will continue to roll out in iOS 18.2 and beyond, with the expected roadmap outlined below per Apple's website and rumors. Apple Intelligence requires an iPhone 15 Pro model or any iPhone 16 model, and it will...