WhatsApp's Massive Security Flaw Serves To Remind Us The Limits Of Consumer Encryption Apps

wekoid.online - Facebook acknowledged last week a massive security vulnerability in its WhatsApp messaging software that allowed a commercial spyware company to install surveillance software on victims’ phones merely by calling them. Exploiting a standard buffer overflow vulnerability in WhatsApp’s call answering stack, the security issue was particularly devastating, allowing arbitrary remote code execution. While the vulnerability itself was quickly fixed, its existence in Facebook’s marquee encrypted communications application reminds us that despite all of their marketing hype, consumer grade encrypted messaging apps are not necessarily as safe as the public might expect them to be.
The vulnerability afflicting WhatsApp was as mundane and common as they get in the cyber world: a simple buffer overflow exploit. Its location in the software’s call answering stack, however, made it particularly devastating, meaning victims could be infected simply by having a malicious actor know their phone number, even if they didn’t actually pick up the call. Worse, after infecting the user’s device, the malware could erase all traces of the user even having received an unusual call.
While confirming the attack, Facebook offered few other details other than to recommend that users upgrade to the patched version of the client application immediately.
Given that samples were captured of at least some of the spyware variants that were known to be installed on victims’ phones, this raises the question of whether Facebook would be making available a malware removal tool that would scan users’ devices for the known malware. While this would remove only the previously identified spyware tools, it would at least offer users some peace of mind.
Asked whether the company would be distributing such a malware scanning tool as an option for concerned users, the company confirmed that it would not. Asked how users themselves might be able to determine whether they had been affected, especially those in high-risk communities, the company confirmed that there was no straightforward way to determine whether they had been compromised and that Facebook would not be providing any assistance to WhatsApp users to determine this.
Facebook’s refusal to help its users is far from usual. Most consumer software includes legal clauses expressly disavowing any responsibility for damage to the user's device and few companies are willing to step forward to help users recover from a cyber incident without charging substantial fees.
Yet the biggest story is not that WhatsApp had a buffer overflow vulnerability or that a malicious actor actively exploited that vulnerability to install spyware on users’ devices.
The real story is that this incident reminds us that consumer grade encrypted communications software is far from the hardened military protection that the general public often associate with them given the companies’ own marketing campaigns.
Facebook has relentlessly touted WhatsApp as a security-first communications platform that offers “secure messaging” for “your most personal moments.” The company’s marketing literature heavily emphasizes WhatsApp’s security features, touting its “secure” design and even recommending it for use by “airlines, e-commerce sites and banks,” creating the impression of a highly secured enterprise application.
Nowhere on the main pages of WhatsApp’s website is there a big bold disclaimer that it is a consumer application that should not be used for sensitive communications. In fact, quite the opposite unless one wades through the lengthy legalese of its terms of service document.
To the general public, WhatsApp might seem the perfect way to secure all of their communications. After all, if their encrypted web browser is safe enough to manage their bank account, an end-to-end encrypted messaging app touted as “secure messaging … [for] your most personal moments” and built by one of Silicon Valley’s biggest internet companies must surely be as secure as they get.
The reality is that WhatsApp is still a consumer grade application. While any software may have vulnerabilities, the kinds of security reviews and rigorous testing that help ensure the security of military communications systems are simply not investments that companies are willing to make for free consumer software like WhatsApp.

Read More: Learn How To Boost Your Smartphone Battery Life With These Tips

This is not to say that WhatsApp is any less secure than any other encrypted messaging app, but rather that companies like Facebook need to be more upfront with their users to help them understand that these are still only consumer grade applications.
Of course, the past year’s parade of security breaches has shone a harsh light on Facebook’s relatively lax approach to the security of its products as a whole and a lack of rigor in its auditing and security review practices.
Asked how Facebook would respond to concerns that perhaps it has overhyped the “secure” nature of WhatsApp to the public and that it is not sufficiently investing in the security of its products, the company emphasized that it had corrected the vulnerability in question but did not comment directly on whether it agreed that there could be a mismatch between the company’s portrayal of WhatsApp’s security and the reality of it being a consumer product.
Putting this all together, last week’s WhatsApp story reminds us once again that despite the plethora of encrypted and “secure” messaging applications available today, the majority are still consumer grade products that lack the same rigorous design and testing as the kind of military-grade software that consumers could be mistaken for thinking of them as given the marketing that surrounds them.
In the end, perhaps the WhatsApp breach might serve as a lesson to companies to be more forthcoming about the limitations of their software and to do more to help consumers recover from breaches. Unfortunately, that is unlikely to happen anytime soon.
Baca Juga

Post a Comment

Previous Post Next Post