WhatsApp Vulnerability Left iPhones Vulnerable to Israeli Spyware [Updated]

by

WhatsApp today disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

According to The New York Times, attackers were able to insert malicious code into WhatsApp, allowing them to steal data, regardless of whether or not a WhatsApp phone call was answered.

Security researchers said that the spyware that took advantage of this flaw featured characteristics of the Pegasus spyware from NSO Group, which is normally licensed to governments who purchase the spyware for installing on the devices of individuals who are the target of an investigation.

Description:A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

The vulnerability was described by WhatsApp as "nontrivial to deploy, limiting it to advanced and highly motivated actors," but it's not clear how long the security flaw was available nor how many people were affected. It was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

WhatsApp engineers "worked around the clock" to address the vulnerability, and made a patch available on Monday. The initial vulnerability was discovered ten days ago after WhatsApp found abnormal voice calling activity following complaints from the aforementioned lawyer. WhatsApp says that it has notified the Department of Justice and a "number of human rights organizations" about the issue.

Update: Reader comments suggested that some of the wording in this article was confusing or misleading, so we have updated it to make sure the details of the vulnerability are clear. Specifically, this issue impacted WhatsApp, not the iOS operating system.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

(View all)
Avatar
15 months ago
Remember all the comments the other day about WhatsApp being more secure than iMessage?

:rolleyes:
Score: 25 Votes (Like | Disagree)
Avatar
15 months ago

Remember all the comments the other day about WhatsApp being more secure than iMessage?

:rolleyes:

So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug
Score: 10 Votes (Like | Disagree)
Avatar
15 months ago

So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug

Nah, not on iOS, it's so private and secure things like this or the carrier tracking situation could never be an iPhone issue. Yeah Privacy Timmy!

Two ridiculous comments. So if iOS is the problem, how come the fix was done via a patch to the WhatsApp App itself and also a server side update to WhatsApp? How come there's no updates for iOS or Android (since, you know, this exploit also worked with WhatsApp on Android) to fix this issue?

NVM, because Apple.
Score: 7 Votes (Like | Disagree)
Avatar
15 months ago

How did this vulnerability make it past the App Store review process? Do app reviewers take bribes to allow spy trash like this into apps?

This exploit is sideloaded and delivered to WhatsApp outside of the App Store.

The App Store itself does not vet apps for vulnerabilities (that would be impossible), but it does vet them for these types of warez directly.
[doublepost=1557803453][/doublepost]

So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug

I just searched a little and it looks like this exploit is scoped solely to WhatsApp's VOIP stack (and within the sandbox) and whatever WhatsApp had permissions for. It will access all of your photos, if you've allowed WhatsApp access, for example.

I can't find any evidence of any additional system exploiting, yet. But this seems why it's able to affect such a wide range of systems - it is spyware within WhatsApp itself.
Score: 7 Votes (Like | Disagree)
Avatar
15 months ago

not as bad as the FaceTime bug/exploit.

I’d say it’s arguably worse as they could remote install software to your phone which could do any number of things including scraping all of your information stored on the phone.
Score: 6 Votes (Like | Disagree)
Avatar
15 months ago

Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.

Israel makes loads of telecoms equipment for Europe and maybe even the USA under the name ECI. Now I don't use WhatsApp, never have but I do find it ironic that Huawei are being banned left right and centre yet ECI based equipment isn't, and now WhatsApp gets caught being a bad actor. I guess it depends on how friendly you are with your spying counterparts and what financial arrangements you have in place with them, as I'm sure every country knows exactly who is spying on who globally. It's good that iOS is so secure though, as Tim says what happens on your iPhone stays on your iPhone, oh hang on...
Score: 3 Votes (Like | Disagree)

Top Stories

Apple Officially Obsoletes First MacBook Pro With a Retina Display

Wednesday July 1, 2020 3:40 am PDT by
As expected, Apple's first MacBook Pro with a Retina display is now officially classed as "obsolete" worldwide, just over eight years after its release. In a support document, Apple notes that obsolete products are no longer eligible for hardware service, with "no exceptions." This means that any mid-2012 Retina MacBook Pro 15-inch models still out there that require a battery or other...

Kuo: iPhone 12 Models Won't Include Charger in Box, 20W Power Adapter Will Be Sold Separately

Sunday June 28, 2020 7:56 am PDT by
iPhone 12 models will not include EarPods or a power adapter in the box, analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. This lines up with a prediction shared by analysts at Barclays earlier this week. Kuo said that Apple will instead release a new 20W power adapter as an optional accessory for iPhones and end production of its existing 5W and 18W power adapters...

Rosetta 2 Benchmarks Surface From Mac Mini With A12Z Chip

Monday June 29, 2020 7:48 am PDT by
While the terms and conditions for Apple's new "Developer Transition Kit" forbid developers from running benchmarks on the modified Mac mini with an A12Z chip, it appears that results are beginning to surface anyhow. Image Credit: Radek Pietruszewski Geekbench results uploaded so far suggest that the A12Z-based Mac mini has average single-core and multi-core scores of 811 and 2,781...

Apple's A12Z Under Rosetta Outperforms Microsoft's Native Arm-Based Surface Pro X

Monday June 29, 2020 10:31 am PDT by
Apple's Developer Transition Kit equipped with an A12Z iPad Pro chip began arriving in the hands of developers this morning to help them get their apps ready for Macs running Apple Silicon, and though forbidden, the first thing some developers did was benchmark the machine. Multiple Geekbench results have indicated that the Developer Transition Kit, which is a Mac mini with an iPad Pro chip, ...

New Mac Ransomware Found in Pirated Mac Apps

Tuesday June 30, 2020 11:44 am PDT by
There's a new 'EvilQuest' Mac ransomware variant that's spreading through pirated Mac apps, according to a new report shared today by Malwarebytes. The new ransomware was found in pirated download for the Little Snitch app found on a Russian forum. Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer...

Developers Begin Receiving Mac Mini With A12Z Chip to Prepare Apps for Apple Silicon Macs

Monday June 29, 2020 5:43 am PDT by
As part of WWDC last week, Apple announced that it will be switching to its own custom-designed processors for Macs starting later this year. As part of this transition, the company is allowing developers to apply for a modified Mac mini with an A12Z chip and 16GB of RAM to develop and test their apps on a Mac with Arm-based architecture. As noted on Twitter and in the MacRumors forums, some...

Kuo: Apple to Launch 10.8-Inch iPad Later This Year, 8.5-Inch iPad Mini in 2021

Sunday June 28, 2020 9:04 am PDT by
Apple plans to launch a new 10.8-inch iPad in the second half of 2020, followed by a new 8.5-inch iPad in the first half of 2021, oft-reliable analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. Kuo did not specify if the 10.8-inch iPad model will be a new version of the existing 10.2-inch iPad or the 10.5-inch iPad Air, but he has previously said that the 8.5-inch...

The New York Times Ends Apple News Partnership and Pulls All Articles

Monday June 29, 2020 11:17 am PDT by
The New York Times today announced that it is pulling out of Apple News, as the service does not "align with its strategy of building direct relationships with paying readers." Starting today, articles from The New York Times will no longer show up in the Apple News app. The news site says that Apple has given it "little in the way of direct relationships with readers" and "little control...

'iPhone 12 Pro' Models Could Be Capable of Shooting 4K Video at 120fps and 240fps

Monday June 29, 2020 3:57 am PDT by
Two new camera modes could be coming to some models of Apple's "iPhone 12," according to YouTube channel EverythingApplePro and Max Weinbach. Specifically, the video modes are said to include the ability to shoot 4K video at 120fps and 240fps. The new modes are thought to be coming to Apple's higher-end "iPhone 12 Pro" and "iPhone 12 Pro Max". Weinbach reportedly tore down the Camera app...

Leaker: Future iPhone Models to Come in 'Exquisite' Thinner Box

Wednesday July 1, 2020 1:57 am PDT by
Leaker L0vetodream this morning posted a tweet corroborating recent rumors that Apple's "iPhone 12" lineup won't come with EarPods or a charger in the box, adding that this will also eventually apply to the existing second-generation iPhone SE. L0vetodream also claims that future iPhone packaging will be "thinner" and "exquisite," which would make sense if Apple's handsets are set to come in ...