WhatsApp Security

Our first and foremost concern, and also the main worry of our users, is the security and privacy of communications over WhatsApp
73 Security flaws
History
Antony Peel, 08/12/2024. Translated by Manuel Sánchez

2024

Windows
07/27/2024
WhatsApp for Windows allows the execution of Python and PHP scripts without warnings
In early June 2024, security researcher Saumyajeet Das found a vulnerability in the desktop version of WhatsApp Messenger. While experimenting with sending and receiving different kinds of attachments, he found if a user receives a .PHP, .PYZ, .PYZW, or .EVTX file through the WhatsApp client for PC, it can be executed by simply clicking the Open button without any warning about it. The execution of other extensions such as .EXE, .COM, .SCR, .BAT, .DLL, .HTA or .VB is blocked. As these extensions are not found in the Meta app blocklist, they facilitate the distribution of Python and PHP scripts that are executed by simply opening them. This can lead to the remote execution of malicious code, as long as the target computer has Python installed. As of the end of July 2024, Meta had not yet fixed this security flaw.

2022

Android IOS Mac Windows WebApp
11/16/2022
Massive WhatsApp data theft puts almost 500 million phone numbers information on sale
On November 16, 2022, an announcement about the sale of 487 million phone numbers belonging to WhatsApp users was posted on a well-known hacking forum. These users are from 84 different countries, the majority being from Egypt (45 million), Italy (35 million), the United States (32 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million). In Spain, the number of affected users is estimated to be around 10 million. Reliable sources checked the data against a sample provided by the sellers and were able to confirm that they were phone numbers of real WhatsApp users. It is suspected that the data could have been obtained by means of the scraping technique, which is against WhatsApp's terms and conditions of use, although the person behind the break-in did not want to confirm at any time the method used.
Source:
Android IOS
09/22/2022
A buffer overflow in WhatsApp could enable remote code execution in an already established video call
The CVE-2022-36934 vulnerability was detected on September 22nd, 2022, classified as a critical vulnerability, and fixed on September 23rd. It affected WhatsApp for Android versions before 2.22.16.2 and iPhone versions before 2.22.16.12. It also affected WhatsApp Business mobile apps before versions 2.22.16.12 on both operating systems. Through this security breach, a malicious attacker could manipulate a Video Call Handler function input, causing a buffer overflow and enabling remote code execution during the ongoing video call.
Android IOS
09/22/2022
A buffer overflow in WhatsApp could lead to remote code execution upon receiving a manipulated video file
The vulnerability CVE-2022-27492 was detected on September 22nd, 2022, classified as highly dangerous, and fixed just one day later. It affected Android versions before 2.22.16.2 and iPhone versions before 2.22.15.9. Through this security flaw, a malicious attacker could exploit the Video File Handler input of a video sent via WhatsApp to execute remote code on the recipient's mobile device.
Android IOS Mac Windows
02/02/2022
An attacker could cause out-of-bounds reading by sending an incorrectly formatted RTCP packet during a call
The acronym RTCP stands for Real-Time Control Protocol, a communication protocol commonly used for making calls and video calls between users of communication apps such as WhatsApp. Earlier in February 2022, a bug was detected in a link control in the analysis code of the RTCP indicator, which is the code responsible for reporting the quality of the RTP stream, the one that actually transports the data. It means that a user could send an incorrectly formatted RTCP packet during a call in progress and cause dynamic storage to be read outside of the allowed limits.
Android IOS Mac Windows
01/05/2022
A bug in the logic used to design the calling system allowed potential attackers to force a buffer overflow
Known as Call Handler, this is the software component used by WhatsApp to make calls between users. In theory, it was possible to cause a buffer overflow by manipulating an input and writing out of bounds.

2021

Android
07/12/2021
A programming error involving a missing boundary check in the image blur feature could enable out-of-bounds writing and a buffer error with a malicious image
WhatsApp, through its security advisories, made public in December 2021 the vulnerability CVE-2021-24041, first recorded in July of that same year. The security flaw was in the image blur feature, which is widely used in the app in all sorts of scenarios. Potential attackers, taking advantage of a code error in the bounds checking associated with this functionality, could cause an out-of-bounds write and buffer overflow by sending a malicious image. The bug affected Android versions of the app before 2.21.22.7 released in October 2021, including the Business version.
Android
06/11/2021
A bug in filename validation could allow an attacker to overwrite files in the app
A bug in WhatsApp Messenger's filename validation process could allow an attacker to breach the integrity and confidentiality of the victim's data. Known as a cross-class vulnerability, the problem occurs when unzipping files. The lack of validation on filenames during the process could allow file overwriting using cross-path attacks, providing access to directories that should be restricted. This is a simple attack that could be performed remotely and is easy to exploit as no authentication is required, although interaction with the victim is necessary.
Android
04/14/2021
A vulnerability in the Android versions of WhatsApp Messenger allows Man-in-the-disk attacks through an HTML file and the Chrome browser
A security flaw allows cryptographic information to be collected from a user's external storage. To do this, an HTML file is sent to the victim, and once it is opened with Chrome, executes a code by taking advantage of its support for content providers. At that point, you have access to TLS cryptographic material (in TLS 1.2 and 1.3 sessions) stored in the cache, as WhatsApp saves the TLS session key details in an unprotected external storage area, thus making it possible to compromise communications and our account, execute remote code and extract Noise protocol keys commonly used in end-to-end encryption of communications.
Android IOS
04/14/2021
An error in decoding audio from incoming calls could cause writing beyond the possible limits and cause memory overflow
A remote attacker could initiate a voice call via WhatsApp specifically designed to cause a memory overflow during its processing, exploiting a flaw in the limits checking system. By causing off-limits writing, the app crashes. No specific technical details about the vulnerability have been provided.
Android IOS Mac Windows WebApp
04/10/2021
Due to a technical error in the initial login process and a simple contact email to the user support address, user accounts can be blocked, even permanently
A user can install a WhatsApp client and initiate the login process using the phone number of a third party. After several failed attempts sending wrong codes or repeatedly requesting new codes (as the actual 6-digit verification code always reaches the victim who could not be aware of what is going on) WhatsApp blocks the sending of new codes for 12 hours. At this point, the second weakness comes into play, as the attacker might contact WhatsApp's lost or stolen accounts department, and by simply showing the victim's phone number, impersonate the victim to block its access, taking advantage of the fact that it is an automated communication platform. If the attacker also repeats the operation for several 12-hour cycles and the victim is not able to regain control of the account in between, the attacker could permanently lock the account and force the victim to contact WhatsApp directly to recover the account.
Android
02/02/2021
A problem in the image filter feature can cause writing out of bounds and grant access to WhatsApp memory on the phone of the victim
Security firm Check Point Research notified WhatsApp on November 10, 2020, of a security backdoor in the image filter feature which could grant an attacker access to information stored in the WhatsApp memory by writing out of bounds. The attack, which in any case requires user interaction, is certainly complex to execute and is not known to have been implemented, uses a predesigned GIF image that is sent to the victim. When the victim edits the image by applying certain filters such as blurring, the original image pixels are modified, a complex process where data is read, manipulated, and overwritten. The error occurs when forwarding the result to the sender. Further technical details of this error became known on September 2, 2021. It was supposed to be fixed as of version 2.21.1.13 of the app released in February 2021 by introducing two new verification processes on the image source and the image filter related to the backdoor.
Source:

2020

IOS
11/05/2020
A library error could corrupt the memory, enable code execution, and cause other failures in the app
A chain of different events could cause memory corruption in the app, failures, and execution of malicious code. The bug was linked to a problem in a registry library used in versions before 2.20.111 of WhatsApp Messenger and WhatsApp Business for iOS. To cause the failure, different scenarios were necessary in a certain order, among them, receiving an animated sticker while placing a video call on hold.
IOS
11/05/2020
Use Siri to manage WhatsApp iOS even when the screen is locked
A glitch with the incorrect authorization of the screen lock feature in the iOS versions of WhatsApp Messenger and WhatsApp Messenger Business before version 2.20.100 made it possible to use Siri to manage the application even after locking the phone.
Android IOS
10/06/2020
Execution of arbitrary code to cause a stack overflow
By analyzing the content of RTP extension headers, it was possible to execute arbitrary code and cause an overflow in the WhatsApp stack.
Android
10/06/2020
Buffer overflow from local videos encoded with a certain audio format
By processing poorly formed local videos with E-AC-3 audio streams, it was possible to enable off-limit writing and cause a buffer overflow.
Android
10/06/2020
Malicious apps with possible access to attached content
An error in the Media ContentProvider URIs (Uniform Resource Identifier) used to open attachments in third-party applications caused them to be generated sequentially, meaning that a malicious third-party app could open the file and guess the URIs of previously opened attachments.
IOS
10/06/2020
Overwriting cross directory files
An error in path validation when sending DOCX, XLX, and PPTX files designed as attachments to messages allowed overwriting of cross directory files.
IOS
10/06/2020
Denial of service through DOCX, PPTX, and XLSX files
When decompressing a regular DOCX, PPTX, or XLSX document from the Office suite, it was possible to cause a denial of service as a result of a lack of memory, which requires that the phone number sending the file was not in our contact list.
Android
10/06/2020
Certain searches may open Google using simple HTTP
A failure to perform quick searches on a heavily forwarded message could send the user to the Google search service using simple HTTP.
IOS
10/06/2020
Application blocking by sending long messages
By sending a large message containing a URL, it was possible to block the iOS client by causing the app to freeze when processing the message.
Android IOS
09/03/2020
Execution of malicious code through push to talk voice messages
An attacker could have used the push to talk function of sending messages to execute arbitrary malicious code.
Android IOS
09/03/2020
Allowed off-limit writing on 32-bit devices
Through video calls, a user could enable off-limit writing on 32-bit devices.
Android
09/03/2020
Stickers linked to URLs without permission
A problem with URL validation allowed stickers to be sent with URL links that opened automatically without the user's permission.
Mac Windows
09/03/2020
Omission of security features in WhatsApp Desktop
A security feature omission problem in versions of WhatsApp Desktop prior to v0.3.4932 could have allowed the escape of the test zone in Electron and the escalation of privileges if combined with a remote code execution vulnerability within the test zone rendering process.
Android
09/03/2020
Buffer overflow
It enabled off-limits writing through video transmissions designed to act on response.
Mac Windows
09/03/2020
Input validation problem
Through the live location messages, an attacker could have allowed cross-site scripting via a link.
IOS Mac Windows
01/21/2020
Vulnerability in link preview using Desktop and iPhone
A vulnerability that combines WhatsApp Desktop and WhatsApp for iPhone makes it possible, by a victim's click on a preview of a link designed for this purpose, to create scripts between sites and read local files.
Source:

2019

Android IOS Mac Windows WebApp
12/17/2019
Crashes of the app in group members
Using WhatsApp Web, Google Chrome, and a remote server in Python, the attacker can modify the name of the participant in a group and cause crashes by entering an infinite loop. The only solution was to reinstall the app, with the consequent loss of group data.
Source:
Android
11/14/2019
Hacking the app using MP4 files
By sending a contact and then downloading an MP4 file along with its metadata, memory was corrupted and a DoS or RCE attack was generated. Attackers could spy on data and steal files remotely.
Source:
Android
10/23/2019
Buffer overflow in Android libraries
A stack buffer overflow error is found in an Android library, specifically called libpl_droidsonroids_gif before its version 1.2.19 that could allow a remote attacker to run arbitrary code and cause a denial of service. The error could affect versions of WhatsApp Messenger Android prior to version 2.19.291.
Source:
Android
10/03/2019
Execution of remote code by creating and sending GIFs
A bug in an Android library related to GIFs contained a double vulnerability in the DDGifSlurp function. Through this vulnerability, remote attackers could execute code and cause a denial of service by analyzing GIFs specifically designed for that purpose.
Source:
Android IOS
09/27/2019
Attacks using EXIF tags on WEBP images
An attacker could use the EXIF tags of the WEBP-type images to write off-limits and overflow the media analysis libraries.
Source:
Android IOS Mac Windows WebApp
08/08/2019
Code failure allows message manipulation (II)
Although WhatsApp reported having solved this vulnerability, initially reported in August 2018, the same researchers discover that the problem has not been solved and it is still possible to manipulate messages and make them look real.
Source:
Mac Windows
07/16/2019
Error when performing correct input validation
A problem in the check and input process allowed malicious files to be sent to users that were displayed with an incorrect extension.
Source:
Android
07/15/2019
Media File Jackin
An error was detected whereby WhatsApp and Telegram media files were visible to each other via SD card storage. In this way, it was possible to modify a file or document before it was sent.
Source:
Android IOS Windows
05/14/2019
Security flaw with possible attacks through phone calls. Vulnerability in the WhatsApp VoIP buffer stack Remote code execution through RTCP packets sent to a number by phone calls
A security flaw allowed espionage through phone calls. It is suspected that the cybersecurity company NSO took advantage of the error to offer an espionage tool on a commercial level. Upon receiving a call and without having to answer it, spy software was installed. The calls could leave no trace. Journalists, political dissidents, diplomats, and members of different governments, were victims of the software called Pegasus, later confirmed by WhatsApp to have affected around 1400 people.
Android
05/10/2019
Recovery of previously sent messages
An error in the development logic allowed someone with access to the account to retrieve previously sent messages. In any case, it was necessary to know the metadata of those messages, that in theory are not publicly available.
Source:
Android IOS Windows
01/28/2019
Stack error on failure to calculate transmitted data when receiving calls
Writing error outside the space assigned to the stack when receiving calls, the amount of data being passed was not properly considered in the stack assignment.
Source:
IOS
01/28/2019
Stack overflow when receiving calls on iPhone
In WhatsApp for iOS, a failure in the sizing process of analyzing packets in the sender when receiving a call could cause a stack-based overflow.
Source:

2018

Android IOS
10/10/2018
Memory heap overflow when receiving video calls
RTP implementation problems allow taking control of a client through a video call designed for that purpose. It affects Android and iOS, not WhatsApp Web as it uses WebRTC for this function.
Android IOS Mac Windows WebApp
08/07/2018
Code failure allows message manipulation
A security breach detected by an external company allowed criminals to intercept and manipulate sent messages. The error made it possible to change a participant's response, quote messages from people who had not written those texts, or send messages to members of groups that, although seemingly group-based, were only visible to that user.
Source:
Android IOS Mac Windows WebApp
05/31/2018
Content sharing button plugin failed
MULTIDOTS Add Social Share Messenger Buttons WhatsApp and Viber 1.0.8 Plugin for WordPress presents a bug allowing a phishing or social engineering attacker to get a WordPress site administrator to change the Plugin's settings using Cross-Site Request Forgery (CSRF) in wp-admin/admin-post.php.
Source:
Android IOS
05/23/2018
Receiving messages from blocked contacts
Users on social networks warn that a blocked user is able to continue sending messages. The error appears to be related to an update of the WhatsApp mobile clients for both Android and iPhone, and would be resolved shortly thereafter by a new update.
Android IOS Windows
01/28/2018
Error in RTP headers
Incorrect analysis of the RTP extension headers made out-of-bounds reading possible.
Source:
Android
01/28/2018
Stack overflow when receiving calls on Android
In WhatsApp for Android, a failure in the sizing process of analyzing packets in the sender when receiving a call could cause a stack-based overflow.
Source:

2017

WebApp
10/09/2017
Tracking contact activity on WhatsApp Web
Researcher Rob Heaten discovers a bug in WhatsApp Web that allows monitoring of contact activity. By using a Chrome extension, it is possible to record the connection times even though they are hidden from view in order to compare the information with other contacts to establish patterns, routines, and even conversations held between them.
Source:
Android IOS Mac Windows WebApp
07/01/2017
Group self-invitations
German researchers warn of a bug whereby a person with access to WhatsApp's servers can self-invite in group chats. From Facebook, they do not give it enough importance, since as it has been said it is necessary to have access to the servers, which is very hard, and in addition, the participants of the groups can see that a new person has joined with no invitation. They also do not have access to previously sent messages.
Android
04/09/2017
Information not removed from the SD card and accessible to other apps
WhatsApp for Android does not delete sent and received files from the device's SD card when a chat is deleted or the app is uninstalled. The data on the SD card is stored without encryption and is accessible to other applications with storage access permissions. According to Facebook, this is not an error, but the expected performance to allow users to export data.
WebApp
03/15/2017
Account theft through photos or videos
A vulnerability made it possible to send messages or videos that were normal in the preview but contained HTML code, capable of loading malware through the browser. In this way, it was possible to take full control of the user's account, read their messages, send them, or view the multimedia content. The vulnerability was reported on March 8 of that same year, one week earlier. When it was made public it was already fixed.
Source:
Android IOS Mac Windows WebApp
01/13/2017
Security flaw that enables messages to be read
German researcher Tobias Boelter discovers an error in the app's end-to-end encryption. When generating the security keys using the Open Whisper Systems Signal protocol, it is discovered that WhatsApp can force the creation of new keys for offline users. Many security experts believe that this error is not such, and in fact, the media The Guardian, that initially published the error, retracted its words.

2016

IOS
08/02/2016
Conversations are not deleted
After the arrival of message encryption, a researcher discovered a flaw in the SQL libraries that would allow us to track deleted conversations with our contacts. According to their analysis, it would only be possible to completely delete a conversation by deleting and reinstalling the app.
Android IOS Mac Windows WebApp
05/06/2016
Message Encryption Failure
A Russian computer security company discovers how it is possible to spy on conversations using the security holes of the SS7 protocol. By connecting to the network node that serves the device and taking advantage of the error, they could steal the authentication SMS and impersonate the participants. This could happen as long as the default security settings were used, since the option "Show security notifications" in the settings was not activated, which could warn the user of a problem. In any case, it is more protocol error than WhatsApp.

2015

WebApp
09/08/2015
Malware installation on PC using WhatsApp Web and a vCard
Using the web client on a PC, an attacker could send a vCard with the malicious code of malware and install it directly on the computer.
Source:
IOS
07/30/2015
Access to other people's chats on iOS devices
A computer engineering student notices that by using an iPhone and a Linux computer, he can extract sent and received files and contacts.
Source:
Android IOS
05/30/2015
Account theft through another device
A failure in the user identification process allowed an attacker to access our account. By installing WhatsApp on a second device, knowing the victim's phone number, and having access to their phone, it was possible to steal the account. To do this, a new installation is started with the victim's number, the verification code is requested through a call on the mobile that we can answer without unlocking the phone and use that code on the second client. Until the victim can recover the use of his account, a variable amount of minutes is spent that can be used to spy on all conversations.
IOS
05/26/2015
A character-related bug restarts the phone
A remote attacker could use CoreText to trigger a denial of service attack using Unicode text. By sending several characters that were not correctly assimilated by the notification, the message caused the phone to restart.
Source:
Android IOS Windows
05/13/2015
Account hacking through voice mail
WhatsApp's verification process makes it possible for a person who knows our phone number to steal our account if we have an active mailbox. Simply install WhatsApp and start registering the number when the victim may not be looking at the phone. When the verification call is not answered, WhatsApp leaves the message in the voice mailbox if it is active, a mailbox that can be called to know the verification code, and take control of the account.
WebApp
01/29/2015
An error allows seeing the photos of users that we do not have in the contact list/deleted images are still visible in WhatsApp Web
Indrajeet Buyhan discovers two security and privacy flaws On the one hand, he shows how users' profile photos are visible even when we do not have the user in our contact list. Anyone can see our photo even if we specify in the settings that they cannot do it. The second error is related to the synchronization of WhatsApp Web and mobile clients: when you delete a photo in a conversation, it becomes blurred on the mobiles and inaccessible but is still available in the web version of the client.

2014

Android
12/01/2014
Sending messages capable of corrupting the conversation and forcing its deletion
Two teenagers discover a bug that caused an error in the app by sending a text message with a special set of very small characters (barely 2kb), making it impossible to access that conversation. It was not an extremely serious security flaw, but it allowed any conversation to be corrupted by forcing it to be deleted and a new conversation to be started. Fixed in update 2.11.468.
Android
04/17/2014
Sending locations without encryption
A group of researchers from the University of New Haven detects a security flaw where messages with the location of contact are sent without encryption, allowing them to intercept the content of those messages and know the real position of contact using a man-in-the-middle attack with programs like WireShark.
Android
03/11/2014
WhatsApp database theft
A Dutch computer engineer warns that the WhatsApp database is stored on the devices' SD card and that any app with access to that SD card could get the file. In a transparent process, attackers can copy the database and upload it to a server. This database was encrypted using SQLite3, but it was possible to decrypt it using a Phyton and WhatsApp Xtract script. According to WhatsApp, in a note released days later, these reports were exaggerated: responsible use of the software and the device, as in any other circumstance, should be enough to avoid becoming victims of an attack.
Android IOS Windows
03/08/2014
Security flaw enables forging of messages
Two researchers present at the RootedCon 2014 a proof of concept that demonstrates that it is possible to forge WhatsApp messages without leaving a trace.

2013

Android
11/22/2013
It is possible to know the location of a contact through its IP address
The introduction of new image download functionality associated with URL link sharing would allow an attacker to know a person's IP address, and therefore, their location. Also, other useful data for performing denial of service attacks.
Android IOS Windows
11/03/2013
It is possible to decrypt messages sent from WhatsApp
Pablo San Emeterio and Jaime Sánchez, publish an investigation that explains in detail how WhatsApp's message encryption system works, and how, with this information, it is possible to intercept sent messages and forge them for the final recipient. As a solution, they invented the WhatsApp Privacy Guard app. The problem is in the use of the same key to encrypt two messages, a failure of the RC4 encryption protocol.
Android IOS Windows
10/08/2013
WhatsApp encryption problems
Researcher Thijs Alkemade detects two weaknesses in WhatsApp's message encryption Firstly, he discovers that someone with access to the messages might be able to decipher their content despite the encryption used. Secondly, the use of the RC4 key allows for man-in-the-middle attacks capable of intercepting packets.
Source:
Android IOS Windows
01/17/2013
Security flaw triggers the creation of WhatsApp Voyeur
Alejandro Amo publishes the web service WhatsApp Voyeur as proof that anyone can get information from WhatsApp profile data without having the user in the contact list, such as photos, statuses, or dates. The service stopped working because of legal warnings. The reality is that this is possible just by adding a contact to our contact list.

2012

Android IOS Windows
05/04/2012
WhatsApp Sniffer, plain text messages
WhatsApp Sniffer app is launched, allowing to spy on chats. In August 2012 it was announced that WhatsApp would start encrypting messages, without specifying the protocol. The phone numbers were still visible.
Android IOS Windows
01/03/2012
WhatsAppStatus appears, allowing you to change the status of any contact
A web service called WhatsAppStatus is launched, which takes advantage of different vulnerabilities detected the previous month to allow changing the status of our contacts in a random way. The error would be corrected on January 6th.
Source:

2011

Android IOS Windows
12/19/2011
Irregular status updates, logging errors, and plain text related errors
Numerous vulnerabilities related to user status in the app, registration process, and plain text protocol are discovered, making it very easy to intercept them.
Android IOS
12/10/2011
Whatsapp Xtract is born, it is possible to steal a user's WhatsApp database
A group of researchers launches WhatsApp Xtract, a software capable of extracting and decrypting the database that WhatsApp locally stores on the devices. According to reports, this encrypted database, that stores all incoming and outgoing messages, can be accessed on mobile devices with root or jailbreak, and can be easily decoded as it always uses the same static and encrypted key.
Android IOS Windows
05/17/2011
Contact information and messages are sent as plain text
A researcher discovers that WhatsApp sends all the information unencrypted through the network, so any user can be a victim of spying through a man-in-the-middle attack, which by using a sniffer software such as WireShark, is able to see the data passing through port 443. WhatsApp implicitly recognized that there was no extra layer of security by responding that the security protocols applied were those of Wi-Fi and 3G networks.
Android
05/01/2011
A security flaw enabled the hijacking of user accounts
Security issues in the phone number verification or authentication process. A developer locates a bug that allowed a user's account to be hijacked remotely.