Paul Farrington, EMEA CTO, Veracode, discusses WhatsApp’s handling of its vulnerability disclosure and what this breach says about the way organisations detect and disclose software vulnerabilities.
In May, WhatsApp revealed details of a vulnerability in its system that could have allowed hackers to gain access to users’ smartphones. WhatsApp is one of the most popular messaging tools in the world, with a sizeable 1.5 billion monthly users. It is favoured for its high level of security and privacy, as messages are encrypted end-to-end.
The good news for end user is that the vulnerability has a fix and an updated version of the app has been made available as an extra precaution. However, it has raised the importance of secure code, and this breach in particular says a lot about the way organisations more broadly detect and disclose software vulnerabilities.
In this instance the breach was caused by the CVE-2019-3568 vulnerability in the VOIP stack, a buffer overflow flaw. What is important to note is that this isn’t a new vulnerability.
In fact, according to Veracode’s report State of Software Security Volume 9, it is the 25th most common vulnerability, and is found in three percent of applications.
Although it may not be as prevalent as some other flaw categories (such as XSS or SQL injection), it is a highly exploitable flaw. Organisations should be well aware of it and have plans in place for addressing the vulnerability quickly.
Also of interest: Should we fear Huawei?