TechSpot means tech analysis and advice you can trust. Read our ethics statement.
In brief: There is no shortage of WhatsApp vulnerabilities which is why the communications platform is meant to be used socially and not for mission-critical tasks, but at least Facebook is fixing one of them in the latest update to the app. This may be explained by the fact that a bug can compromise group chats, and even crash the app entirely until you wipe all related data.
If you're running an older version of WhatsApp on your iPhone or Android phone and have automatic updates turned off, you might want to get your app to the latest version. Specifically, make sure that you run at least version 2.19.246 on Android and 2.19.120 on iOS, and you should be covered.
According to security firm Check Point, a nasty bug allows an attacker to deal damage to your group chats. The exploit is apparently as easy as using the debugging tools in a web browser such as Chrome, after which messages can be edited to send the application in a crash loop for all the members of a group. Every time one of them reopens the app, it will crash again.
The only fix at that point is wiping all user data. Since all members of a group have to apply the same fix, that leaves no way to recover the group's data, effectively removing chat history. The cherry on top is that in order to get rid of the crashes for good you have to also delete all the groups that are affected by the malicious payload.
This new exploit was too big for Facebook to ignore as can render the app useless.
WhatsApp is used by over 1.5 billion people in over 180 countries, meaning this simple bug potentially gives malicious actors a large attack surface. The social giant was notified about the issue in advance of this public disclosure, allowing for ample time to incorporate a fix. However, there are still some vulnerabilities that Facebook has yet to fix, one of which can be used to take over conversations and impersonate you, but luckily there's little indication that it's been used in the wild.
To the company's credit, it has released a partial fix that can prevent you from being tricked into broadcasting a private message to an entire group. And it also took care of a video bug that essentially made playing a file you received the same as giving complete access to all the information you have on your phone.
In related matters, the FTC could soon seek an injunction against Facebook that would halt its plans to unify the underlying infrastructure behind Messenger, WhatsApp and Instagram. This isn't going to prevent companies like NSO from selling spyware tools for these apps, but it should at least make it harder for hackers to steal your personal data.