Of the six new vulnerabilities fixed by WhatsApp, four existed in WhatsApp for Android, with two being a part of its iPhone client, while the remaining two were specifically related to WhatsApp Desktop versions prior to v0.3.4932, as reported on the security advisory site. Two third of the new vulnerabilities were found internally — through code review or automated dynamic analysis — and one third were reported through the bug bounty programme conducted by Facebook.
WhatsApp will be able to continue the practice of revealing vulnerabilities through its newly created security advisory site. This will detail the security issues that the company isn’t able to mention in the app release notes of the updates due to the policies and practices of app stores.
The growing presence of WhatsApp that already has over 200 crore users globally has brought it in the focus of hackers around the world. In some past instances, bad actors were able to exploit the app to manipulate messages of users and even snoop their phones. The WhatsApp team itself reported a dozen of security vulnerabilities that were fixed last year, as per the entries listed on the US National Vulnerability Database (NVD).
Thus, it makes sense for WhatsApp to have a dedicated security advisory site where it can list all the security issues under one roof. The arrival of the new site also suggests that the security team behind the world’s most popular messaging app could focus more on identifying and patching flaws to resist past issues.
“We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts,” WhatsApp wrote on its security advisory site.
In addition to the new site, WhatsApp parent Facebook has announced its vulnerability disclosure policy that will allow the social media giant to publicly disclose the vulnerabilities it found in a third-party code after 21 days of its reporting.
“Facebook will contact the appropriate responsible party and inform them as quickly as reasonably possible of a security vulnerability we’ve found. We expect the third party to respond within 21 days to let us know how the issue is being mitigated to protect the impacted people. If we don’t hear back within 21 days after reporting, Facebook reserves the right to disclose the vulnerability,” the company said in its advisory related to the new policy.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.