Published on May 14th, 2019 📆 | 6790 Views ⚑
0WhatsApp patches flaw allowing easy installation of Pegasus spyware
Facebook posted a security advisory for a buffer overflow vulnerability in its subsidiary WhatsApp that could allow an attacker to install Pegasus spyware on victims devices.
The  Israeli NSO group developed spyware allows its users to turn on a phoneâs camera and mic, scan emails and messages, and collect the userâs location data and can be exploited by injecting the malware by simply calling the target without a trace and without the need for the victim to answer their device.
The vulnerability affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
âWhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,â said WhatsApp in a statement.
StarLeaf CTO William MacDonald called the vulnerability an extremely severe security hole for similar reasons.
âDespite instant messaging becoming a growing part of our culture of communication, social platforms are often unwisely used for the businesses,â MacDonald said. âThis example clearly demonstrates that there are many organizations aggressively hunting for flaws in consumer applications for commercial gain and for use by third parties.â
MacDonald  added that because consumer apps are not designed for business usage, it is the responsibility of every employee to only adopt the right solutions to minimize risk and protect usersâ data (company & customer).
Wandera Vice President of Engineering Mike Campin considered the attack âdeeply worryingâ and said it âshows how even the most trusted mobile apps and platforms can be vulnerable.â
âWhile this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many,â Campin said.
Campin added that despite the app not typically being used as a corporate messaging application, it is widely used on both employeesâ personal devices and on corporate-issued devices, and once exploited could grant a threat actor access to all of the data on a userâs phone potentially jeopardizing corporate networks as well.
âWhile itâs less likely that the average citizen would be targeted with this kind of spyware, WhatsApp is used by many people for whom the privacy of their conversations is a life and death matter,â said Tripwire Vice President of Product Management and Strategy Tim Erlin.
âNo software is perfectly secure and vulnerabilities like these are going to exist,â he said. âThe response is what matters.â
Fortunately, the vulnerability has been patched and users are urged to update as soon as possible.
Regardless of the vulnerabilityâs disclosure there may be more problems on the horizon Kevin Stear, lead threat analyst at JASK, warned.
âRecent censorship (e.g. China) and at-scale exploitation scares (e.g. CVE-2019-3568) have raised questions about both the applicationâs security and more specifically its actual efficacy at privacy protection,â Stear said.âThe exploitation of WhatsApp and other encrypted messaging applications has long been a focus for almost every nation-state with advanced cyber capabilities and operations, and itâs extremely likely that a number of exploitation methods that havenât been made public yet are current being evaluated and/or employed by advanced persistent threats (APTs).â
Ultimately the situation has been resolved for those who have updated their apps and some researchers are praising WhatsApp for its prompt response. Â
âWhile there is not much the average user can do in this situation, for high profile individuals, or those working with sensitive information, it becomes important to evaluate downloaded apps, and indeed the functionality of a smartphone as a whole,â said Javvad Malik, security awareness advocate at KnowBe4.
âFlaws can exist in every software, but kudos to the WhatsApp team for their rapid turnaround and releasing of a fix,â Malik said.
Gloss