You should put WhatsApp on permanent vacation mode

Today we’re taking a look at a set of three WhatsApp news stories that should help you decide whether to continue using the app. One has to do with a viral “Argentina Is Doing It” message about COVID-19. Another is about a future update to WhatsApp that’ll introduce a Vacation Mode – hopefully. The third story includes information on 6 previously undisclosed security vulnerabilities delivered by WhatsApp.

Hoax messaging

There’s a message spreading through WhatsApp with a note about an Argentina video about COVID-19. This message reads something like the following: “If you recieve a video by Whatsapp called “Argentina is doing it”, do not open it or watch it. It is a virus that hacks your phone and connot be stopped.”

The message could also suggest something to the tune of: “They are going to start circulating a video on WhatsApp that shows how the Covid19 curve is flattening in Argentina. The file is called “Argentina is doing it”, do not open it or see it, it hacks your phone in 10 seconds and it cannot be stopped in any way. Pass the information on to your family and friends. Now they also said it on CNN.”

This is false. While there is likely a video somewhere about said topic, the message itself is a version of a sort of “chain letter” the likes of which we’ve seen for the past several decades, as noted by a Snopes article this week. This sort of thing translated VERY WELL over to the digital age, where it’s far easier to convince any individual to believe what’s written and pass said message on to friends and associates.

WhatsApp itself is not necessarily responsible for the content of the messages sent on WhatsApp. But the fact that something like this can spread with such little effort says a lot about the platform and how potentially dangerous it can be for users prone to believing whatever they read.

WhatsApp vulnerabilities

A new set of previously undisclosed vulnerabilities for Android and iOS. This 2020 update includes CVE-2020-1894, 1891, 1890, 1889, 1886, and 11928. The warnings here come on both iOS and Android, with a common thread – if you keep your WhatsApp updated all the time, you should remain relatively safe… or at least you’ll be safe from these vulnerabilities NOW if you have the latest version of the app on any platform.

One is a stack write overflow issue that could have “allows arbitrary code execution when playing a specifically crafted push to talk message.” Another vulnerability had a user controlled parameter used in a video call which could have allowed an out-of-bounds write on 32-bit devices. That’d only really affect older devices – but still, it’s a bummer.

Another vulnerability had to do with a URL validation issue, where “the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction. That’d be a rude awakening, to be sure.

There was a security feature bypass issue with the desktop version of WhatsApp, too. This vulnerability “could have allowed for sandbox escape in Electron and escalation of privilege if combined with a remote code execution vulnerability inside the sandboxed renderer process.” That all means that the desktop version of WhatsApp could – with a lot of effort – do some significant damage to your desktop and the data therein.

An Android-specific vulnerability worked with a buffer overflow that could have allowed an out-of-bounds write via a specifically crafted video stream “after receiving and answering a malicious video call.” Another desktop vulnerability for WhatsApp included input validation, potentially allowing cross-site scripting upon clicking a link from a specifically crafted live location message.

Vacation Mode

On the positive side of things, there’s a new update to the Beta version of WhatsApp that could potentially add a so-called Vacation Mode to the system. This is version 2.20.199.8 Beta, and it adds “Auto hide inactive chats.” This feature says: “Chats with no activity for 6 months will automatically come to view later.”

This was previously tipped to be called Vacation Mode, now called Ignore archived chats. Per WABetaInfo this beta version also includes a move of Archived chats to the top of your chats list.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: