InfoSecBulletin Cybersecurity for mankind
Meta’s WhatsApp is now silently fixing security issues that could reveal users’ operating system details to attackers. Privacy issues impact over 3 billion users, allowing attackers to gather information before launching malware attacks.
Understanding the Fingerprinting Threat:
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
Security researchers found that WhatsApp’s end-to-end encryption for multiple devices unintentionally exposes device metadata. Each device has its own encryption session with a unique key, allowing for easy identification.
Bad actors can leverage and use WhatsApp as an attack vector for the query WhatsApp servers for encryption material and extract device-specific information without any user interaction. This reconnaissance capability poses significant risks to users worldwide.
Recent research shows that ID generation differences enable attackers to identify victims’ operating systems, distinguishing between Android and iPhone. This identification capability is crucial for advanced persistent threat (APT) actors deploying platform-specific zero-day exploits.
Sending an Android exploit to an iPhone would not only fail but also potentially alert victims and compromise sophisticated attack infrastructure worth millions of dollars.
Accurate device identification is crucial for threat actors to maintain operational security before attacks.
Security analysts found changes in how Android generates Signed PK IDs using proprietary research tools. The parameter now creates a random value each month instead of starting at zero and increasing, making device identification harder.
The One-Time PK ID parameter is still flawed. iPhone initialization values vary greatly from Android’s 24-bit random range, allowing precise device identification.
This partial remediation represents progress but leaves critical gaps in protection.
WhatsApp fixed the issue without informing the original reporters or assigning CVE identifiers. WhatsApp issued a bug bounty in one case but didn’t assign a CVE due to low severity.
Security experts believe CVE documentation is crucial for communication in the security community, not just a way to label issues, and that severity is accurately represented in CVSS scores.
Researcher advised that Meta should focus on thorough fixes and notify researchers and assign CVEs to show commitment to security transparency.
