WhatsApp, which is owned by Facebook, has reported six previously unknown bugs that the firm has now patched. The vulnerabilities are listed on a dedicated security advisory website that offers a detailed list of WhatsApp security updates and related Common Vulnerabilities and Exposures (CVE) as the latest resource.
WhatsApp said the same day it patched five of the six bugs, while the remaining flaw took a few days to resolve. While some of the bugs might have been caused remotely, the company said it found no proof that hackers are actively exploiting the vulnerabilities.
Around one-third of the new vulnerabilities were identified via the company’s Bug Bounty Program, while the others were found via regular code reviews and, as planned, using automated systems.
The new website was introduced in response to customer reviews and as part of the company’s attempts to be more open about bugs that affect the messaging app. The company says the WhatsApp community has been asking for a centralized location to track vulnerabilities in security, as WhatsApp is not always able to detail its security advisories in the release notes of an app due to policies on the app store.
The new dashboard will update every month, or sooner, should it warn users of an active attack. It will also feature an archive of past CVEs from 2018. WhatsApp went public last year after fixing a vulnerability that Israeli spyware maker NSO Group allegedly used. WhatsApp sued the spyware manufacturer, claiming that the company used the vulnerability to deliver its Pegasus spyware covertly to some 1,400 devices, including over 100 human rights defenders and journalists.
NSO has denied the charges. The news was welcomed by John Scott-Railton, a senior researcher at Citizen Lab, whose work included NSO Community investigations.
“This is fine because we know bad actors are using extensive resources to gain and vulnerabilities,” he told. We strongly encourage all users to ensure that their respective app stores keep their WhatsApp up-to-date and update their mobile operating systems whenever updates are available.
Facebook also said Thursday it codified its vulnerability disclosure policy, allowing the company to warn third-party code developers about security vulnerabilities on which Facebook and WhatsApp rely.
WhatsApp is one of the most common applications in the world, with more than two billion users worldwide. But it’s also a constant hacker option, trying to find and exploit vulnerabilities in the framework.