WhatsApp is rolling out a new update to its iOS client, to patch a function that may be vulnerable to exploitation later. This is more specifically about the storage of 2FA code, where WhatsApp stores it in a file of a private directory in WhatsApp. Though it was in a sandboxed environment, it could be accessed by adversaries by exploiting any zero-day bugs found in the future.
WhatsApp Patches an Existing iOS Flaw
Last year, one iOS user has spotted that WhatsApp is storing the Two Factor Authentication code in plaintext, in a private directory file of WhatsApp. Since private like a sandbox environment, it’s safe and bars external apps from accessing it. But, this still an issue. Any future zero-day exploits may let hackers access this code, thus should be secured.
And to safeguard this, WhatsApp has rolled out a new update (v2.21.80) to its iOS client to tweak this flaw. It’s available for beta testers in TestFlight, and will soon be available for all iOS users through Appstore. Installing this, WhatsApp will now avoid storing the 2FA code in its private directory and instead does it on iOS Keychain.
An iOS Keychain is a place provided by Apple for developers to store their sensitive data securely. Thus, it’s safer now. Although, any adversary obtaining this code couldn’t possibly breach the user’s WhatsApp account, as they also need an additional code sent through SMS by WhatsApp.
Yet, this could potentially be a second-step attack if the hacker manages to obtain the SMS code in the first place. Thus, securing it is imminent. While we expected WhatsApp to roll this patching update a long back, it delayed it for unknown reasons. Also, it should be noted that there’s no such update required for the Android version.