Here’s what you need to know about WhatsApp security flaws

Last year, WhatsApp reported a sharp escalation in the number of vulnerabilities it found on its platform. Here are some of the security flaws reported.

WhatsApp disclosed 12 security vulnerabilities in 2019 and according to the US National Vulnerabilities Database, seven of these are “critical”. This is a jump from the one or two medium-security concerns reported a few years ago.

These reported flaws come after Amazon CEO Jeff Bezos’ phone was allegedly hacked by the Saudi Crown Prince Mohammed bin Salman in 2018. Salman allegedly hacked Bezos’ phone and sent a malicious video from the phone, but the Amazon founder’s investigators were unable to uncover enough evidence to show whether the weaknesses came from WhatsApp or the iPhone X.

This raised security concerns resulting in the Facebook-owned WhatsApp pointing its finger at Apple citing that they were confident that their encryption technology had not been exploited.

However, the US National Vulnerability Database, a US government repository of flaws, reported different findings this year.

Marc Rogers, vice-president of cybersecurity at Okta and head of the security team for the world’s largest hacking conference, Def Con, said that the fact that they found these new vulnerabilities means they didn’t just appear. “Many of those were likely sitting in there all that time, and there’s a very high chance they were being [exploited],” he said.

“You see this often: a flurry of vulnerabilities being pulled out of an app because someone is suddenly paying attention because they are scared,” he said.

Others have also criticised Facebook for putting the blame on Apple instead of taking responsibility and fixing these security flaws.

WhatsApp announced that it had improved its public reporting of flaws last year as part of their commitment to transparency.

“The issue at hand remains the proliferation of spyware that takes advantage of vulnerabilities, including those within the operating systems that power our mobile phones,” they said.

Their report was unable to find any spyware or malicious software that infiltrates users’ devices and extracts sensitive information. It suggested that Bezos could have been the victim of malware such as the Pegasus-3 product sold by Israeli company NSO Group.

The Saudi government called the report “absurd” and called for an investigation into the claims.

Users are advised to secure their WhatsApp from hackers by remembering one rule:

  • Do not, under any circumstances, share your six-digit WhatsApp code with anyone including friends and family. Having this pin could be the security barrier you need if someone tries to sign into your account.