WhatsApp reveals 6 bugs that allow attackers to execute code remotely

WhatsApp revealed 6 security bugs through its dedicated security advisory site, detailing how they allow hackers to execute remote code.

WhatsApp is a messaging application used by more than two billion users worldwide. All vulnerabilities are disclosed on a dedicated security advisory site intended to provide more transparent details about vulnerabilities for users and security professionals.

"We take the security of our users very seriously and provide industry-leading protection for our users around the world. Our WhatsApp security team works with experts from around the world to stay ahead of potential threats."

[Says the official WhatsApp blog post](https://www.whatsapp.com/security/advisories/2020/)

6 security bugs were found in WhatsApp

1. CVE-2020-1894 – a stack write overflow bug in WhatsApp Business for Android
2. CVE-2020-1891 – A user-controlled parameter used in video calls in WhatsApp for Android
3. CVE-2020-1890 – a URL validation issue in WhatsApp for Android
4. CVE-2020-1889 – security feature bypass issue in WhatsApp desktop versions
5. CVE-2020-1886 – A buffer overflow in WhatsApp for Android
6. CVE-2019-11928 – an input validation issue in WhatsApp desktop versions
7. CVE-2020-1894 – A stack write overflow that allows attackers to execute arbitrary code when playing back a specially crafted push-to-talk message.

CVE-2020-1894

A stack write overflow that allows attackers to execute arbitrary code when playing back a specially crafted push-to-talk message.

It affects WhatsApp for Android prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30.

CVE-2020-1891

A user-controlled parameter used in a video call in WhatsApp allowed an out-of-bounds write on 32-bit devices.

The bug affects WhatsApp for Android prior to v2.20.17, WhatsApp Business for Android prior to v2.20.7, WhatsApp for iPhone prior to v2.20.20, and WhatsApp Business for iPhone prior to v2.20.20.

CVE-2020-1890

A URL validation issue in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 would allow execution of malformed data in a tag message that loads images from a sender-controlled URL.

CVE-2020-1889

A security feature bypass issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed sandbox escape in Electron and privilege escalation if combined with a remote code execution vulnerability within the sandboxed rendering process.

CVE-2020-1886

A buffer overflow in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have allowed an out-of-bounds write via a specially crafted video stream after receiving and answering a malicious video call.

CVE-2019-11928

An input validation issue in WhatsApp Desktop versions prior to v0.3.4932 could have allowed cross-site scripting when clicking a link in a specially crafted live location message.

Stay alert to potential vulnerabilities

Cybercriminals could exploit these 6 code bugs to commit fraud and impersonate you by taking control of your personal WhatsApp account. In a previous post we saw this through SS7 attacks, so we maintain the following recommendations to help protect yourself:

• As an additional protection for WhatsApp, you can activate two-step verification to add more security to your account.
• Never share your authentication codes with other people who are impersonating someone with authorization to receive them. Beware of catfishing.
• Keep your application updated to avoid potential vulnerabilities that could be used to hack you.