What Developers Need to Know About WhatsApp’s Recent Security Dilemma

Last week, reports, like this one from Dark Reading, surfaced a remotely exploitable bug found in Facebook’s popular WhatsApp chat app, that spies on users and specifically targeted human rights groups. Facebook patched the flaw last week in the latest WhatsApp version 2.19.244.

At Sonatype, we emphasize knowing what’s vulnerable in your code as deployed versus what developers declare they are using. In the case of Facebook, proprietary code relied on an open source component of which embedded native C code became vulnerable. They decided to eliminate the dependency, but the episode proves that not having a grasp of the components your core code depends on can have negative consequences.

AWS Builder Community Hub

Thanks to a researcher called Awakened you can avoid innocent-looking GIFs in WhatsApp stealing data and private conversations from your Android devices — if you update to the latest version.

Malicious Memory

Facebook and WhatsApp, two “free” social media apps, represent juicy targets for malicious behavior. How the apps are built, and specifically, how they use processor memory, invites exploiting this vector.

Dark Reading’s Jai Vijayan explains:

“The bug does not exist in WhatsApp itself but rather in an open source library that the application uses to parse media files. The so-called double-free vulnerability (tracked as CVE-2019-11932) stems from how memory is allocated when GIF images are parsed in WhatsApp. A double-free vulnerability involves an app calling the same memory space on a device twice, resulting in a memory leak.”

When We Contain These Risks, Others Do, Too

Developers who unknowingly use compromised libraries pass along the risks to others. Our own DJ Schleen explains in this video.

DJ’s two recommendations:

Update as appropriate. Keep your component libraries fresh. The latest Software Supply Chain Report demonstrates newer components are less risky than older ones. But not always! (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: