It seems although the Instant Messaging is protected by End to End encryption via the Signal Protocol, a buffer overflow can allow a back door allowing any or all data on the phone to be compromised.
From Facebook security:
(Since Facebook owns WhatsApp)
Some Scary Stuff
- This is a buffer overflow vulnerability
- The exploit typically installs Pegasus Spyware
- The exploit works if a call is made to the target phone, the user does not need to pickup the call
- The spyware erases the call log, thus the user would be unaware of the issue
The CVE Process
CVE Common Vulnerabilities and Exposures maintains a database of issues that are reported to it. They are also visible via NIST. CVE is part of Mitre.
As I understand it for serious issues, details are not made public until a first fix has been made, tested and distributed. Indeed at the time of writing on May 14th, CVE-2019-3568 which describes this Whatsapp issue is merely reserved and there is no detailed public pronouncement of the issue or its resolution.
- Technology has many benefits. But also a few disadvantages. Like being hacked.
- These are complex programming systems, and they can never be perfect, especially when new features and hence code changes are introduced.
- Android and Apple iOS already have automated application store update options
- When a vulnerability is discovered it is worked on immediately by responsible developers and then the fixed app is loaded to the Application store
- In parallel, actually possibly even before the fixes are fully released, the vulnerability is often made public on the CVE database
- If you choose to use the technology, and at some level you will and must in 2019, the best you can do for your Smartphone is to keep the Auto Updates switched ON.
- My Android phone updates in the early hours, every day.