If you’re wondering what the deal is with the Whatsapp warnings, you’ve come to the right place.
Many reports have rolled in, claiming the existence of two security holes in Whatsapp, linking back to two tweets. Their bug IDs are allegedly CVE-2022-36934 and CVE-2022-27492.
An article based on the two tweets claimed that not only are they zero-day bugs, but they’ve also been discovered and supposedly fixed by the Whatsapp team.
By definition, however, zero-day is referring to a bug that attackers found and used to exploit before a patch was available so that there were zero days that even an incredibly talented sysadmin could’ve caught it.
So, basically, stating that this bug is a zero-day is to infer that it’s important.
So, is Whatsapp actually under attack? Is there an active danger that you should be notified of?
As far as anyone knows, the reports are based on information coming directly from Whatsapp’s security advisory page.
Both bugs are currently listed as leading to remote code execution, or RCE, meaning that data could force the app to crash and that an attacker might be able to rig up the circumstances of the crash to trigger prohibited behavior.
Usually, when an RCE is involved, the unauthorized behavior means running malware to take some form of control over your device.
Based on the descriptions, it seems like the first bug required a connected call to be triggered, while the second looks like it could be triggered at other times.
Mobile apps are generally regulated more strictly than apps on laptops or servers, where local files are generally accessible to, and shared between, various programs.
This means that the compromise of a single mobile app usually poses less of a risk than a similar malware attack on, say, your computer.
There is good news! The bugs listed were apparently patched around a month ago, even though the latest reports implied that these flaws represent a clear danger to WhatsApp users.
So, yes, the holes have been patched, confirmed by Whatsapp itself.
