Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

WhatsApp Vulnerability Left iPhones Vulnerable to Israeli Spyware [Updated]

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,473
11,861



WhatsApp today disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

According to The New York Times, attackers were able to insert malicious code into WhatsApp, allowing them to steal data, regardless of whether or not a WhatsApp phone call was answered.

Security researchers said that the spyware that took advantage of this flaw featured characteristics of the Pegasus spyware from NSO Group, which is normally licensed to governments who purchase the spyware for installing on the devices of individuals who are the target of an investigation.
Description:A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
The vulnerability was described by WhatsApp as "nontrivial to deploy, limiting it to advanced and highly motivated actors," but it's not clear how long the security flaw was available nor how many people were affected. It was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

WhatsApp engineers "worked around the clock" to address the vulnerability, and made a patch available on Monday. The initial vulnerability was discovered ten days ago after WhatsApp found abnormal voice calling activity following complaints from the aforementioned lawyer. WhatsApp says that it has notified the Department of Justice and a "number of human rights organizations" about the issue.

Update: Reader comments suggested that some of the wording in this article was confusing or misleading, so we have updated it to make sure the details of the vulnerability are clear. Specifically, this issue impacted WhatsApp, not the iOS operating system.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: WhatsApp Vulnerability Left iPhones Vulnerable to Israeli Spyware [Updated]
 

Sasparilla

macrumors 68000
Jul 6, 2012
1,506
2,422
Shocking (not), the top messaging app in many countries is compromised by a State run security agency. The question is whether this was by accident, partnership or from someone on the inside.

Apple's OS's, messaging apps and ROMs have to be prime targets by just about every security agency out there.
 
  • Like
Reactions: Regbial and CREA

stylinexpat

macrumors 68000
Mar 6, 2009
1,965
4,188
So who here finds this surprising? This couldn't possibly happen from our ally now could it..? :rolleyes:o_O Maybe the Palestinians, Hamas,Iranians or Hezbollah was behind it o_O
 

m0sher

macrumors 6502a
Mar 4, 2018
808
775
Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.
 

Mascots

macrumors 68000
Sep 5, 2009
1,616
1,314
How did this vulnerability make it past the App Store review process? Do app reviewers take bribes to allow spy trash like this into apps?

This exploit is sideloaded and delivered to WhatsApp outside of the App Store.

The App Store itself does not vet apps for vulnerabilities (that would be impossible), but it does vet them for these types of warez directly.
[doublepost=1557803453][/doublepost]
So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug

I just searched a little and it looks like this exploit is scoped solely to WhatsApp's VOIP stack (and within the sandbox) and whatever WhatsApp had permissions for. It will access all of your photos, if you've allowed WhatsApp access, for example.

I can't find any evidence of any additional system exploiting, yet. But this seems why it's able to affect such a wide range of systems - it is spyware within WhatsApp itself.
 
Last edited:

Intellectua1

Suspended
Jun 3, 2016
207
399
Seattle, Washington
Nah, not on iOS, it's so private and secure things like this or the carrier tracking situation could never be an iPhone issue. Yeah Privacy Timmy!
[doublepost=1557803965][/doublepost]
Shocking (not), the top messaging app in many countries is compromised by a State run security agency. The question is whether this was by accident, partnership or from someone on the inside.

Apple's OS's, messaging apps and ROMs have to be prime targets by just about every security agency out there.
iOS has been cracked most likely, the information just hasn't been leaked. There's nothing in this day and age that can't be exploited.
 

Shirasaki

macrumors G4
May 16, 2015
10,285
4,110
Good example.

I’m being naïveté , every country is doing it, just that it’s illegal and I wonder what consequences we should start holding against those who do get caught?

And more importantly what tech can do to prevent it and protect us?
No. No tech can prevent this happen and protect people because people running those tech companies do not care about general public and their situations. This is always the problem of the people, not the tech.
 
  • Like
Reactions: dysamoria

realtuner

Suspended
Mar 8, 2019
1,714
5,053
Canada
So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug

Nah, not on iOS, it's so private and secure things like this or the carrier tracking situation could never be an iPhone issue. Yeah Privacy Timmy!

Two ridiculous comments. So if iOS is the problem, how come the fix was done via a patch to the WhatsApp App itself and also a server side update to WhatsApp? How come there's no updates for iOS or Android (since, you know, this exploit also worked with WhatsApp on Android) to fix this issue?

NVM, because Apple.
 

farewelwilliams

macrumors 68040
Jun 18, 2014
3,680
14,768
I’d say it’s arguably worse as they could remote install software to your phone which could do any number of things including scraping all of your information stored on the phone.

apps are sandboxed so even if it took over the whatsapp completely, it has no access to files outside what whatsapp is allowed to access. at least on iOS.

of course Android is a different story.
 
  • Like
Reactions: Kengineer and hagar

Marshall73

macrumors 68000
Apr 20, 2015
1,745
1,504
apps are sandboxed so even if it took over the whatsapp completely, it has no access to files outside what whatsapp is allowed to access.

This is true. Although there is the possibility of zero day exploits in iOS which would allow them to access data outside of the sandbox. A zero day bug like this would be far more dangerous when you already have access to the phone remotely.

A many zero day exploits need physical device access or user interaction. And many hacks on other platforms require the use of multiple exploits to work.
 
  • Like
Reactions: dysamoria

apolloa

Suspended
Oct 21, 2008
12,318
7,798
Time, because it rules EVERYTHING!
So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug

Yes I was thinking that. I mean Whatspp was obviously buggy, or considering Facebook own it it was by design.... anyway, it had this bug that allowed it to completely bypass any and all iOS security??
That’s a failure of the iOS coding is it not? It’s not protecting those back doors.
 

gnasher729

macrumors P6
Nov 25, 2005
17,395
4,621
iOS has been cracked most likely, the information just hasn't been leaked. There's nothing in this day and age that can't be exploited.
"In this day and age" - how old are you?
[doublepost=1557816988][/doublepost]I would really like to know what are actual known facts, and what has been made up by some "journalist" based on their imagination, or on their wish to make the article found more interesting.

If there is a bug in an application that allows a hacker to install software on an iPhone, then this is a major, major vulnerability in iOS. So there are clearly two possibilities: Either there is a HUGE vulnerability in iOS, or the bit of installing software on the iPhone is just in someone's imagination.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.