WhatsApp vulnerability left iOS open to spyware attack

Posted:
in iOS edited May 13
Facebook-owned WhatsApp on Monday disclosed the recent fix of a VoIP-related vulnerability that allowed nefarious parties to remotely install spyware on both iOS and Android handsets.

WhatsApp


Discovered in early May, the now-patched bug in the app's audio call feature allowed hackers to deliver a spyware payload to target devices, a process that worked even if the WhatsApp call recipient failed to answer.

It took WhatsApp less than ten days to patch the security hole following its discovery, reports TechCrunch. How long the vulnerability existed without detection is unknown, but the company confirmed hackers took advantage of the window to install an unknown number of malicious payloads.

Although WhatsApp did not name a specific company or spyware variant associated with the security breach, a statement on the matter points to Israeli vendor NSO Group.

"This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems," WhatsApp said.

NSO develops and markets a well-known and notoriously effective piece of spyware called Pegasus. Typically reserved for government buyers, Pegasus is often used by law enforcement agencies to gain wide access to key device functions and data stores.

Apple has in the past attempted to patch flaws in iOS and macOS leveraged by Pegasus, but NSO continues to uncover and exploit zero-day vulnerabilities in iOS to keep its product functional.

WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said.

The company alerted the U.S. Justice Department and various human rights organizations after discovering the vulnerability, and urges users to update their respective app versions to protect against future attacks.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," WhatsApp said in a statement.
«1

Comments

  • Reply 1 of 23
    gack, so how can you figure out if the spyware is there or not?
    chiawilliamlondonwatto_cobra
  • Reply 2 of 23
    StrangeDaysStrangeDays Posts: 7,298member
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    lkruppolsarthurbachiachasmracerhomie3macxpressmacpluspluswilliamlondonbaconstang
  • Reply 3 of 23
    baconstangbaconstang Posts: 541member
    WhatsApp, Instagram & Facebook.   Lie down with dogs, wake up with who-knows-what.
    EsquireCatschasmStrangeDayswatto_cobra
  • Reply 4 of 23
    lkrupplkrupp Posts: 6,950member
    gack, so how can you figure out if the spyware is there or not?
    You have to ask the question, why would the Israelis go through the trouble of installing this on my device? Unless you think you are of interest to that government I wouldn’t worry too much. 

    "WhatsApp believes only a small number of users were impacted by attacks, noting only advanced and highly motivated actors would be capable of leveraging the bug, the report said. “ 

    Are you worth it? 
    Carnage
  • Reply 5 of 23
    macseekermacseeker Posts: 424member
    Apple needs to remove the entire universe of facebook apps from the app store. Also needs to find a way of making sure the prior installed apps doesn't work. Apple needs to get serious of its privacy policy.
    olswatto_cobra
  • Reply 6 of 23
    EsquireCatsEsquireCats Posts: 534member
    On one hand we have people complaining that Apple won't let developers write their own web browser engines. Software that is extremely complex and notoriously prone to security issues.

    On another we have one of the most popular chat apps, under the management of a company that has bucket loads of cash and programming talent - and it has such serious flaws that an entirely different app could be installed covertly through one of its main features.

    fotoformatarthurbachiawatto_cobra
  • Reply 7 of 23
    apple ][apple ][ Posts: 8,575member
    I find this to be pretty funny.
    StrangeDayswatto_cobra
  • Reply 8 of 23
    ivanhivanh Posts: 316member
    If WhatsApp can do it unintentionally, other spying apps can also do it INTENTIONALLY via legitimate apps.  This is the end of the App Store myth of security, isn’t it?
    williamlondon
  • Reply 9 of 23
    arthurbaarthurba Posts: 97member
    how? Reall, how?  How can WhatsApp install a program?  That’s a breach of the App Store rules. Fine they’ve patched it - but this sounds like a feature the developers wrote so they could add a ‘WhatsApp downloadable featurss’ type thing in future and didn’t disable it.  Apple needs to be able to do a better job of finding apps that break the rules like this and apply some decent penealties when they are found out. 
    watto_cobra
  • Reply 10 of 23
    longfanglongfang Posts: 113member
    So how do we check if our device has been compromised?
    watto_cobra
  • Reply 11 of 23
    fastasleepfastasleep Posts: 2,703member
    macseeker said:
    Apple needs to remove the entire universe of facebook apps from the app store. Also needs to find a way of making sure the prior installed apps doesn't work. Apple needs to get serious of its privacy policy.
    On what grounds. Some of us use those apps. You trying to drive people to Android?
    watto_cobra
  • Reply 12 of 23
    frantisekfrantisek Posts: 436member
    I am telling people not to use Facebook owned apps and they stare on me like a fool. Everyone use it..... Not that it is spyware by itself, but it allows other spyware in as well as we see now. That is a deal!
    edited May 14 watto_cobra
  • Reply 13 of 23
    frantisekfrantisek Posts: 436member
    gack, so how can you figure out if the spyware is there or not?
    It is. It is WhatsApp itself.
    beowulfschmidtwatto_cobra
  • Reply 14 of 23
    avon b7avon b7 Posts: 3,648member
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    Did you read the article?
    KITA
  • Reply 15 of 23
    LatkoLatko Posts: 351member
    arthurba said:
    how? Reall, how?  How can WhatsApp install a program?  That’s a breach of the App Store rules. Fine they’ve patched it - but this sounds like a feature the developers wrote so they could add a ‘WhatsApp downloadable featurss’ type thing in future and didn’t disable it.  Apple needs to be able to do a better job of finding apps that break the rules like this and apply some decent penealties when they are found out. 

    ivanh said:
    If WhatsApp can do it unintentionally, other spying apps can also do it INTENTIONALLY via legitimate apps.  This is the end of the App Store myth of security, isn’t it?

    Apparently WhatsApp allows for the installation of malicious executables - that is against the Appstore rules and apparently leaked through Apple’s authentication process. So indeed - how many more apps might allow this “unforeseen” code execution leak and will never be reported ?
    edited May 14
  • Reply 16 of 23
    KITAKITA Posts: 168member
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    WhatsApp, Instagram & Facebook.   Lie down with dogs, wake up with who-knows-what.
    macseeker said:
    Apple needs to remove the entire universe of facebook apps from the app store. Also needs to find a way of making sure the prior installed apps doesn't work. Apple needs to get serious of its privacy policy.
    On one hand we have people complaining that Apple won't let developers write their own web browser engines. Software that is extremely complex and notoriously prone to security issues.

    On another we have one of the most popular chat apps, under the management of a company that has bucket loads of cash and programming talent - and it has such serious flaws that an entirely different app could be installed covertly through one of its main features.

    frantisek said:
    I am telling people not to use Facebook owned apps and they stare on me like a fool. Everyone use it..... Not that it is spyware by itself, but it allows other spyware in as well as we see now. That is a deal!

    From the article above:

    NSO develops and markets a well-known and notoriously effective piece of spyware called Pegasus. Typically reserved for government buyers, Pegasus is often used by law enforcement agencies to gain wide access to key device functions and data stores.

    Apple has in the past attempted to patch flaws in iOS and macOS leveraged by Pegasus, but NSO continues to uncover and exploit zero-day vulnerabilities in iOS to keep its product functional.

    Johan42gatorguyfastasleep
  • Reply 17 of 23
    Johan42Johan42 Posts: 155member
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    You sound so full of hate. Yuck.


    Anyways, to those talking shit about this app and praising Apple...Apple has had their share of massive vulnerabilities in the past. Go be hypocrites somewhere else.
    KITAwilliamlondon
  • Reply 18 of 23
    Johan42 said:
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    You sound so full of hate. Yuck.


    Anyways, to those talking shit about this app and praising Apple...Apple has had their share of massive vulnerabilities in the past. Go be hypocrites somewhere else.
    You sound so full of... something else. 🤮
    Apple has had occasional issues and fixed them. Facebook has a very long history of spying on its customers, selling customer data, invading privacy, all the way up to helping foreign actors to influence an election. How dare you compare the two!
    StrangeDayswilliamlondonbaconstangwatto_cobra
  • Reply 19 of 23
    StrangeDaysStrangeDays Posts: 7,298member
    avon b7 said:
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    Did you read the article?
    I did. Did you? Yes, the patches have been put in place. But the security exposure was there. So much for the sentiment that "Apple lost this space" on the other discussion, where a couple chaps were touting encryption and what not on WA. What good is all that if it's still going to act as a trojan horse? 

    Apple is still winning the space with iMessage, IMO. Now get to work on those goalposts!
    williamlondonbaconstangwatto_cobra
  • Reply 20 of 23
    StrangeDaysStrangeDays Posts: 7,298member

    Johan42 said:
    Bahaha — so much for the argument on another story that Apple “lost” the secure chat platform space, because WhatsApp is more popular and cross-platform than iMessage. Oops. So much winning when you put your privacy into Facecrook’s hands, lol.
    You sound so full of hate. Yuck.

    Anyways, to those talking shit about this app and praising Apple...Apple has had their share of massive vulnerabilities in the past. Go be hypocrites somewhere else.
    Nope, just recognize shit when I see it. And when it comes to Facebook properties, that's about all they all -- shit. Like I said, the fellow who just the other day here bragged that WhatsApp had "beaten" iOS in the secure-messaging space was quote full of the same. That's the context of what we're discussing here, son.
    williamlondonbaconstangwatto_cobra
Sign In or Register to comment.