WhatsApp has seen its fair share of security flaws — however, the app might be more vulnerable than we once believed. According to a database seen by the Financial Times, WhatsApp disclosed a total of 12 security vulnerabilities in 2019. And seven of those were classified as “critical.”

In previous years, only one or two security vulnerabilities have been reported by WhatsApp. That’s a significant jump by any standards.

whatsapp icon

The Guardian first reported last week that bin Salman had covertly stolen data from the Amazon CEO's phone after sending an unsolicited video that contained a malicious file in 2018.

This has led to the US National Vulnerabilities Database, sparking questions about the security of the app amid reports that Amazon CEO Jeff Bezos' phone was hacked by Saudi Crown Prince Mohammed bin Salman.

The hack on Bezos' phone is believed to have happened after the two men exchanged friendly messages on WhatsApp on May 1, 2018, weeks after they had met at a dinner in Los Angeles while the prince was in the US on official business.

Bezos' team began investigating his phone in January 2019 after The National Enquirer published a story about him having an affair. After the accusation, Bezos accused the tabloid's parent company, American Media Inc., of blackmailing him by threatening to publish his nude images.

The Saudi government has called the report "absurd" and called for an investigation into the claims.

WhatsApp vulnerabilities marked security risk

According to the Financial Times, several security flaws were found in the popular messaging service last year, publicising the possibility that these vulnerabilities were left unnoticed for some time, which may have facilitated the high-profile hack of Bezos' phone.

As per the National Vulnerability Database, out of 12 vulnerabilities that WhatsApp disclosed in 2019, seven were marked critical. Among the list of vulnerabilities disclosed by the social media app, the CVE-2019-3568 bug was marked the most dangerous as it allowed hackers to execute malicious codes on smartphones. Another critical flaw, the CVE-2019-11933 that primarily affected WhatsApp for Android allowed hackers to cause a denial of service.

It added that the number of reported vulnerabilities was significantly higher than in the previous year when only one or two security reports were made. Another bug was reported that could have allowed hackers to crash WhatsApp by sending a malicious message on a group which could result in WhatsApp becoming completely unusable for the affected person.

Facebook, which acquired WhatsApp in 2014, has since tried to pin Bezos' hack on Apple's operating system.

Facebook's response

Last week, Nick Clegg, Facebook’s Vice President of Global Affairs and Communications, told the BBC that he is “very, very confident” that the hack on Bezos’ phone couldn’t possibly the fault of WhatsApp. “We’re as sure as you can be that the technology of end-to-end encryption cannot be hacked into,” he said.

The disclosure of a dozen vulnerabilities renders that answer virtually useless. WhatsApp will surely continue to be an integral part of the ongoing investigation into Bezos’ phone being hacked.

Still, experts such as Marc Rogers, vice-president of cybersecurity at Okta told the FT that news of the vulnerabilities likely pointed to them existing for some time.

A dozen vulnerabilities are much to be concerned about. But the larger issue at hand is that WhatsApp may have known about them for a while before reporting them. Experts have told the Financial Times that “many of those were likely sitting there all that time and there’s a very high chance they were being [exploited]."

It’s very possible the critical vulnerabilities recently revealed played some part in the hacking of Bezos’ phone. So, a long journey to fight cybercrime awaits for WhatsApp.

Being Proactive

For every fraud type or security risk, there are just as many technical prevention solutions helping protect consumers, enterprises and networks alike. No communication channel is exempt from the attacks of fraudsters, none can claim to be a 100% ‘secure channel’.

However, proactive and consistent vigilance can make the difference and that’s what MEF global board member and iTouch Chairman Waheed Adam want to see happen in South Africa.