As the Financial Times, TechCrunch, and everyone else is reporting today, users of WhatsApp are being urged to update as soon as possible after a serious security exploit was discovered.
I know because I’ve had some members of the media contact me, including one TV show that I declined to appear on.
"Good Morning Britain" asked me to speak about the WhatsApp security issue this morning. I declined. After all, they have their own phone hacking expert… pic.twitter.com/paeJmF9hDw
— Graham Cluley (@gcluley) May 14, 2019
So what’s the problem?
A buffer overflow vulnerability in Facebook-owned WhatsApp allowed spyware developed by the Israeli firm NSO Group to be installed on targeted devices. Attackers could simply call a smartphone to infect it – the intended target didn’t even need to answer the call. According to the Financial Times report, incoming call logs could be erased to hide evidence that an attack had taken place.
The Financial Times reports that the attack was used against an unnamed UK-based lawyer on 12 May. A successful infection by the malware, known as Pegasus, would allow a remote attacker to steal a gallimaufry of information – including sensitive messages, address books, email archive, browser history, GPS location, and even hijacking a device’s camera and microphone.
According to a curt security advisory issued by Facebook, the following versions of WhatsApp are affected:
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348
- WhatsApp for Tizen prior to v2.18.15
So, if you use WhatsApp, you should update the app as quickly as possible.
Chances are that you aren’t high on the list of users that attackers are likely to target with this exploit, but it’s better to be safe than sorry. Anyway, you want to be able to see stickers, right?
You see, the latest WhatsApp update makes no mention of a security fix being included. It just talks about stickers instead.
I wonder how many millions of people will be unsure today whether they’re using the fixed version of WhatsApp or not?
For my sins, I run WhatsApp Beta on Android and naively thought it was patched the other day because its version number met the advisory conditions (v2.19.139) and there were no updates available.
An update has now been made available (v2.19.143) that includes the single release note "Security fix for CVE-2019-3568."
So when it comes to release notes, at least someone is getting the message there. I wonder if they'll reflect this on the next mainstream update.