WhatsApp Vulnerability Left iPhones Vulnerable to Israeli Spyware [Updated]

Monday May 13, 2019 6:22 PM PDT by Juli Clover
WhatsApp today disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

According to The New York Times, attackers were able to insert malicious code into WhatsApp, allowing them to steal data, regardless of whether or not a WhatsApp phone call was answered.

Security researchers said that the spyware that took advantage of this flaw featured characteristics of the Pegasus spyware from NSO Group, which is normally licensed to governments who purchase the spyware for installing on the devices of individuals who are the target of an investigation.
Description:A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
The vulnerability was described by WhatsApp as "nontrivial to deploy, limiting it to advanced and highly motivated actors," but it's not clear how long the security flaw was available nor how many people were affected. It was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

WhatsApp engineers "worked around the clock" to address the vulnerability, and made a patch available on Monday. The initial vulnerability was discovered ten days ago after WhatsApp found abnormal voice calling activity following complaints from the aforementioned lawyer. WhatsApp says that it has notified the Department of Justice and a "number of human rights organizations" about the issue.

Update: Reader comments suggested that some of the wording in this article was confusing or misleading, so we have updated it to make sure the details of the vulnerability are clear. Specifically, this issue impacted WhatsApp, not the iOS operating system.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Tag: WhatsApp
51 comments

Top Rated Comments

(View all)
Avatar
Slix
26 weeks ago
Remember all the comments the other day about WhatsApp being more secure than iMessage?

:rolleyes:
Rating: 25 Votes
Avatar
macfacts
26 weeks ago

Remember all the comments the other day about WhatsApp being more secure than iMessage?

:rolleyes:


So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug
Rating: 10 Votes
Avatar
realtuner
26 weeks ago

So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug


Nah, not on iOS, it's so private and secure things like this or the carrier tracking situation could never be an iPhone issue. Yeah Privacy Timmy!


Two ridiculous comments. So if iOS is the problem, how come the fix was done via a patch to the WhatsApp App itself and also a server side update to WhatsApp? How come there's no updates for iOS or Android (since, you know, this exploit also worked with WhatsApp on Android) to fix this issue?

NVM, because Apple.
Rating: 7 Votes
Avatar
Mascots
26 weeks ago

How did this vulnerability make it past the App Store review process? Do app reviewers take bribes to allow spy trash like this into apps?


This exploit is sideloaded and delivered to WhatsApp outside of the App Store.

The App Store itself does not vet apps for vulnerabilities (that would be impossible), but it does vet them for these types of warez directly.
[doublepost=1557803453][/doublepost]

So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug


I just searched a little and it looks like this exploit is scoped solely to WhatsApp's VOIP stack (and within the sandbox) and whatever WhatsApp had permissions for. It will access all of your photos, if you've allowed WhatsApp access, for example.

I can't find any evidence of any additional system exploiting, yet. But this seems why it's able to affect such a wide range of systems - it is spyware within WhatsApp itself.
Rating: 7 Votes
Avatar
Marshall73
26 weeks ago

not as bad as the FaceTime bug/exploit.


I’d say it’s arguably worse as they could remote install software to your phone which could do any number of things including scraping all of your information stored on the phone.
Rating: 6 Votes
Avatar
killhippie
26 weeks ago

Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.

Israel makes loads of telecoms equipment for Europe and maybe even the USA under the name ECI. Now I don't use WhatsApp, never have but I do find it ironic that Huawei are being banned left right and centre yet ECI based equipment isn't, and now WhatsApp gets caught being a bad actor. I guess it depends on how friendly you are with your spying counterparts and what financial arrangements you have in place with them, as I'm sure every country knows exactly who is spying on who globally. It's good that iOS is so secure though, as Tim says what happens on your iPhone stays on your iPhone, oh hang on...
Rating: 3 Votes
Avatar
gnasher729
26 weeks ago
I found a link to the original Times article, and it is clear that the MacRumors article is mixing things up.

From the article: "Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call." So WhatsApp has a vulnerability, which lets an attacker break into the WhatsApp up. No mention of installing applications on the phone. No mention that they could affect anything outside WhatsApp.

Then later the article says that in 2016 the same company producing this exploit _was_ able to install software on an iPhone, using vulnerabilities that were present in 2016. So they cannot do this today, with or without WhatsApp exploit.

Yes I was thinking that. I mean Whatspp was obviously buggy, or considering Facebook own it it was by design.... anyway, it had this bug that allowed it to completely bypass any and all iOS security??
That’s a failure of the iOS coding is it not? It’s not protecting those back doors.


According to the New Times article, which is much clearer than the MacRumors one, no. There was no exploit against iOS. This attack was against the WhatsApp app only.
Rating: 3 Votes
Avatar
cavi
26 weeks ago
Some facts:
1. NSO is an Israeli based company – not Israel.
2. The Israeli law bans the export of technologies such as NSO’s without the right permits (which is given to countries and certified organizations) – if NSO is selling to others, it is an illegal act.
3. NSO’s technology saved thousands over the world already.
Rating: 2 Votes
Avatar
Sasparilla
26 weeks ago
Shocking (not), the top messaging app in many countries is compromised by a State run security agency. The question is whether this was by accident, partnership or from someone on the inside.

Apple's OS's, messaging apps and ROMs have to be prime targets by just about every security agency out there.
Rating: 2 Votes
Avatar
AxiomaticRubric
26 weeks ago
How did this vulnerability make it past the App Store review process? Do app reviewers take bribes to allow spy trash like this into apps?
Rating: 2 Votes
[ Read All Comments ]