Recent WhatsApp Vulnerability – Facebook messaging and my thoughts

Around a month ago, WhatsApp fixed a devastating vulnerability (zero-day in that case) – it allowed someone to remotely hack a phone by simply initiating a WhatsApp voice call. The recipient didn’t even have to answer the call! That’s pretty scary! The good thing is – it has been fixed. For those interested reading about it more (if you haven’t by now) – Wired has a great article about it here.

Now, let’s take a look at the release notes (Apple App Store release notes as of 18th June 2019):

For the last three release versions (2.19.51, 2.19.60 and 2.19.61) all we see in the release notes is:
You can now see stickers in full size when you long press a notification.“.

As we know, this very dangerous vulnerability was fixed in version 2.19.51 as per the CVE-2019-3568 security advisory note – listed only on a Facebook page, not mentioned anywhere else around WhatsApp, not on their website or changelog (as per the above).

I think this an example of a very poor messaging and lack of transparency from Facebook. WhatsApp is used by over 1.5 billion users worldwide – a very large user base. This is a very serious vulnerability and I feel that Facebook should have been much more transparent about it. If one was to look at the release notes – seeing only a mention of a “stickers” may not be a compelling reason for update – at least not immediately. If Facebook was to be more transparent about the actual security content of a new release, I am sure many users would be updating it straight away (it would be great to have some data around that in the future). WhatsApp is used by various people around world: human rights groups, companies and of course, every day people. When everyone puts so much trust in a product or platform and use is very often or on daily basis, companies should do a much better job with transparency – especially around security. While I understand that sometimes, it is best not to release some information before most systems have been patched due to various reasons, I think Facebook should have been more upfront about this WhatsApp vulnerability, possible implications of not updating and create user awareness to ensure everyone is patched and secured as soon as possible. Facebook did very poorly on this one.

I personally do not have a Facebook account and only use WhatsApp due to many of my connections, friends and family members using it. I wish more people were using Signal instead.