
WhatsApp Security Advisories - alexvoica
https://www.whatsapp.com/security/advisories
======
nateberkopec
Why was this submitted? The newest WhatsApp CVE is more than 6 months old.

~~~
rocqua
[https://nvd.nist.gov/vuln/detail/CVE-2020-1894](https://nvd.nist.gov/vuln/detail/CVE-2020-1894)
This was yesterday I think? With code-exec through a stack over flow in push
to talk. Unless the date-format is out of whack. and 09/03 is 9 march not 3
september

~~~
ccktlmazeltov
depends if it's the American date format or the rest-of-the-wold date format

------
crtasm
> If you lose access to your WhatsApp account, the messages you previously
> received will remain on your phone and will not be available elsewhere.

As I understand it, if you give in to the android app's repeated prompts to
enable backing up to your google account then your messages _are_ stored
elsewhere, and without encryption.

Could someone confirm if this is still the case?

~~~
paxys
That is correct. Same for iCloud backup on iPhones.

------
bzb5
What surprises me about the list of CVEs is how many of them affect both
Android and iOS. One would assume they are two completely independent
codebases.

~~~
IncludeSecurity
Many mobile apps rely on shared components/libs/frameworks that are either
developed by the company or are FOSS (libpl_droidsonroids_gif for example). In
either case...they are platform agnostic and usually written in C. And as we
all know C is full of memory handling problems like overflows.

Hopefully in 2020 and beyond people will be developing these shared components
in Rust instead.

------
laingc
This thread thus far has a ton of comments from people who haven't bothered to
actually read anything about how WhatsApp works, or how the Signal protocol
works.

It would make for a better comment thread if everyone did that prior to
expressing an opinion.

~~~
dijit
This kind of snide comment gets upvoted because everyone sees it as a way of
looking down on the 'other comments'.

If you have something specific to say to each of the people who "didn't read
the spec" then please respond to those people with that, instead of making
passive aggressive commentary and making us assume the worst in everyone else
in the comments.

~~~
floatingatoll
It's completely appropriate to ask the HN community to do more work before
posting, instead of posting opinions that haven't been checked against
reality. The mods use this same approach when advising us to act better: a
single top-level comment, discussing a common misbehavior and asking for it to
stop. We should aspire to be a better community, but individually chastising
tens of comments for posting unfounded and repetitive comments would pollute
the discussion with needless repetition of the same core point.

------
fareesh
"We do not store private messages on our servers"

Are all messages "private" messages? Or is this intended to distinguish group
chats from one-to-one chats?

~~~
ianlevesque
It’s fully documented: [https://faq.whatsapp.com/general/security-and-
privacy/end-to...](https://faq.whatsapp.com/general/security-and-privacy/end-
to-end-encryption/)

------
saagarjha
> Due to the policies and practices of app stores, we cannot always list
> security advisories within app release notes.

Yeah, right. Here's your three latest release notes for the iOS app:

    
    
      2.20.92 Aug 25, 2020
      Bug fixes.
      
      2.20.91 Aug 24, 2020
      Bug fixes.
      
      2.20.90 Aug 19, 2020
      Bug fixes.
    

Surely you can do better than that?

~~~
amatecha
IMO these walled-garden app stores that are supposed to be "so good for the
users" should require quality release notes that describe the exact
"performance improvements and bug fixes" that the respective apps apparently
receive.

~~~
reaperducer
_IMO these walled-garden app stores that are supposed to be "so good for the
users" should require quality release notes that describe the exact
"performance improvements and bug fixes" that the respective apps apparently
receive._

What is it that makes you think this is caused by "walled gardens?" Do you
have a link to a policy that requires this, or is it your own biases showing
through?

~~~
amatecha
I think you may have misunderstood my comment... I'm saying that if the walled
garden app stores are supposed to be good for users (especially if this is one
of their marketing bullet points), one might reasonably expect that "high-
detail release notes" ought to be one of the requirements for app developers,
imposed by the owner of the app store (Apple, Google, etc.) .. This way users
get a good understanding of what changes will happen when they download an
update of a given app.

------
muxator
> We do not store private messages on our servers _once we deliver them_

Doesn't this mean that messages exist in plaintext on Facebook's servers for
at least the time it takes to deliver them? To me this is equal to saying that
everything is clear text anyway, since there is no way to ensure someone
lawfully or unintentionally taps the text stream and diverts it somewhere.

Am I misunderstanding?

~~~
TwoBit
Probably just means the encrypted messages are in holding on the server until
delivered. There's not much alternative to that unless peers are enabled to
talk directly to each other, which would likely be a poor experience due to
reliability and connectivity issues.

~~~
vlovich123
It would probably be much more ideal to have peers send messages to each other
directly & only use the server for store + forward if the send fails.

~~~
paxys
True P2P isn't really possible today in the vast majority of ISP networks
(especially mobile ones), so at most traffic will be relayed by a TURN server
which is also centralized.

~~~
vlovich123
Are you sure that mobile networks really go out of their way to block STUN,
not to mention that they’re predominantly IPV6 so the reasons for NAT would be
weird at the carrier level (haven’t investigated this too thoroughly so not
sure).

