[HN Gopher] WhatsApp Remote Code Execution in Video Call ___________________________________________________________________ WhatsApp Remote Code Execution in Video Call Author : louislang Score : 276 points Date : 2022-09-27 14:43 UTC (8 hours ago) (HTM) web link (nvd.nist.gov) (TXT) w3m dump (nvd.nist.gov) | hulitu wrote: | So where the description of the vulnerability ? The OP links to | whatsapp site which i cannot use because of the cookie banner. | 2Gkashmiri wrote: | waiting for the time when i can only use my matrix/element and be | able to talk to whatsapp or instagram or snapchat users without | creating and maintaining accounts there. | Forbo wrote: | It's going to take nothing short of massive legal action to get | any sort of competitive compatibility like that. As much as I | wish for that to happen my hopes aren't very high. So until | then I'll keep chugging along on whatever open solutions I can, | hoping that my small contribution to network effects will help | steer things down the line. | [deleted] | rafale wrote: | dang wrote: | We ban accounts that post like this, so please don't. | | We detached this subthread from | https://news.ycombinator.com/item?id=32996849. | | https://news.ycombinator.com/newsguidelines.html | asdffasdf1234 wrote: | ah yes, jewish origins. very suspect.... | | /s | bloqs wrote: | Israeli / Jewish origins? | | For fucks sake. | anvic wrote: | ipython wrote: | This publicly disclosed vuln brings a new perspective into the | Bezos phone hacking incident: | https://en.m.wikipedia.org/wiki/Jeff_Bezos_phone_hacking_inc... | MuffinFlavored wrote: | Does this mean Jeff Bezos was doing WhatsApp video calls with | https://en.wikipedia.org/wiki/Mohammed_bin_Salman ? | ipython wrote: | Especially since a related cve refers to vulnerable video file | parsing: https://cve.mitre.org/cgi- | bin/cvename.cgi?name=CVE-2022-2749... | mgraczyk wrote: | Since the issue was in both the iOS and Android versions of the | app, and it was caused by an integer overflow, does that mean | that the bug was in a bundled C++ library implementing webRTC? Is | there any information about the source-level cause of the issue? | saddlerustle wrote: | Notably on iOS there's no good way to isolate unsafe native | libraries from the rest of your app without violating app store | policies, because Apple enforces apps to be single process and | doesn't allow use of its own sandboxing apis. | dagmx wrote: | I believe you're able to use XPC Services to achieve that no? | | Edit: actually no, XPC Services are Mac only so wouldn't help | on iOS. | | WASI would be the closest thing to a secure runtime | biggerChris wrote: | The jailbreak community has entered the chat. | | https://theos.dev/docs/nic | londons_explore wrote: | You can compile your less trusted libraries to webassembly | and then run them in a webview? | pjmlp wrote: | When most code is Objective-C it hardly matters anyway. | justapassenger wrote: | You only need a bug in a single line of code of your | dependency to compromise the whole app. Most of the code | doesn't matter for security. | pjmlp wrote: | The usual argument that safer languages are needless, | because bugs happen anyway, yet Apple is going Swift, and | adopting hardware mitigations to fix these kind of | issues. | saagarjha wrote: | Hardware mitigations which you can't use? | fsociety wrote: | Plenty of mobile code, especially at large companies like | this, rely on a ton of C code. It makes it easier to | support features on both Android and iOS. I'm sure there | are more benefits I'm not aware of. | black_puppydog wrote: | You have to understand, they enforce those rules for security | reasons. /s | UncleMeat wrote: | It seems this way. "RCE via crafted media file" generally | points to various media codecs and other processing that is | implemented in native. | gauravphoenix wrote: | What is the worst case scenario here? Will the adversary be able | to break out of the sandbox? i.e. will the adversary be able to | access non WhatsApp data? | londons_explore wrote: | Since this advisory is cross platform, I expect it just lets | you execute code in the application context. | | Ie. You can still steal someone's entire conversation history. | [deleted] | qopl wrote: | Here are the security advisories from WhatsApp: | https://www.whatsapp.com/security/advisories/2022/ | | They're rather scant on detail. Anyone know if this was exploited | in the wild? Or who discovered it otherwise? | | I'm also wondering if it was disclosed as part of an equities | process, given the target and the type of bug. | nixcraft wrote: | Off topic: Why does WhatsApp don't give the option to block all | calls and texts by default? That way, I can only talk with folks | I want. The signal app has that option. Random businesses can | send you texts to promote their shity services (typically, your | number is grabbed from data brokers or leaks). Of course, you can | block and report such spam, but there is no DnD option right now. | | Alt url as nvd is under load: Critical WhatsApp vulnerabilities | patched https://www.malwarebytes.com/blog/news/2022/09/critical- | what... | | Edit: I forgot to mention almost all spam is from verified | whatapps business accounts. So I believe they/FB are selling data | directly under their updated TOS. | el_nahual wrote: | I am one of these "WhatsApp spammers" (well, _I_ don 't | consider myself a spammer but you might!). | | We sell financial services in a developing country. We're not a | mobile app--we're just a mobile-first website (a common gripe | on HN is 'there's too many apps, just make a website'. Well, | we're one of them). | | We need to be able to get in touch with our customers for | transactional purposes (changes to their account, delivery | notifications, login links, that sort of thing). Our customers | don't have email. SMS gets filtered at the phone level (and | uses untrustworthy, shared numbers). The _only_ option is | WhatsApp. | | Most of the world does not have a computer, they have a phone. | So at this point it's either WA or a native app + push | notifications. Which would you prefer? | | Just for reference, facebook has pretty strict guidelines for | sending unsolicited messages. | | In order for us to send you an unsolicited message, that | message must use a preapproved template. Those templates are | not _supposed_ to be used for marketing purposes (although it | 's easy enough to craft a seemingly transactional template that | is actually marketing). And there's also some cases that are a | bit of a gray area. | | However, in our experience, users are _brutal_ flagging spammy | messages as spammy, and facebook has pretty strict | deliverability rules. If your quality drops, your messages stop | being delivered. | | All in all, I think it's pretty fair. | Asdrubalini wrote: | Wanna talk about how the WhatsApp client on macOS (and probably | also Windows) by default shows your webcam on screen if someone | videocalls you? That way if you are sharing your screen and | someone happens to call you, everyone will be able to suddenly | see you without warnings. | | For me is such an enormous privacy violation that I removed the | client (which is also a memory hog) and now use only the | browser version. | nixcraft wrote: | >now use only the browser version. | | That is a great idea. But can you delete the app from your | phone once connected to the web browser? | michaelmior wrote: | I believe so. Although you may need to periodically | reinstall to reauth. | beefield wrote: | Install Whatsapp on a virtual android on your computer? | jaywalk wrote: | Can virtual Android simulate your phone number? | isp wrote: | It doesn't need to. | | The WhatsApp authentication SMS message can be sent to | your (real) phone, and then manually transcribe the auth | code into WhatsApp on the Android VM. | | I did this for a while. | Asdrubalini wrote: | Definitely not, but I was referring to the macOS version. | AFAIK you always need to have the app installed on some | phone that is connected to the internet but things may have | changed since I last checked. It doesn't bother me much on | phone since i have never shared the screen but on computers | is a real concern. | llui85 wrote: | The phone has to check in with WhatsApp every 2 weeks for | any linked devices to keep working. | | https://faq.whatsapp.com/579413796526134/ | nicoburns wrote: | iOS now provides this as an OS features ("Focus"). You cab | block notifications from all but certain apps and/or all but | certain contacts. And the contacts feature works with WhatsApp. | pedro_hab wrote: | yes, WhatsApp used to be great in this regard, you would not | get any spam. | | Now it's starting to get worse and worse. | | I block SMS notifications since I only get spam there (I'm | Brazilian, SMS is basically dead here) | anvic wrote: | >Now it's starting to get worse and worse. | | Wait until the EU-mandated intercompatibility kicks in. | vladvasiliu wrote: | Wouldn't that actually help? As another commenter said, | some apps actually allow blocking random callers. So, | presumably, such an app could be used instead of WhatsApp | while still being able to contact people on that network. | Kind of like in the '00s, when you could use pidgin or some | other third-party app to avoid the annoyances of msn or | yahoo messenger. | [deleted] | DSingularity wrote: | These applications should be treated as Trojan horses. If they | aren't open source and you are a journalist/dissident or anyone | targeted by nation states you have got to assume your | WhatsApp/Facebook is being used to compromise your device. | als0 wrote: | Even the App Store version of Signal is allegedly not the same | as what's in the open source project. So unless you compile and | install the applications yourself, there's no way of knowing | anything. | marcodiego wrote: | That is why we must support initiatives like f-droid. They | put a special focus on reproducibility. | lucakiebel wrote: | So Apple has their Xcode Build service, why not add a badge | to verify that an app was built from a linked public | Github/Gitlab Repo | nonasktell wrote: | if you can't trust Meta, why could you trust apple? | kingnothing wrote: | Apple has been building their brand on privacy and trust | for at least a couple of years now. Can you be sure | they're not sending everything to the NSA? Of course not. | But they also make their money by directly charging users | for services unlike the ad-based companies. There have | also been many attempts by various governments to | publicly force Apple to insert backdoors or prevent them | from fixing security vulnerabilities which have failed. | polyomino wrote: | > But they also make their money by directly charging | users for services unlike the ad-based companies. | | this does not make them more trustworthy | | > There have also been many attempts by various | governments to publicly force Apple to insert backdoors | or prevent them from fixing security vulnerabilities | which have failed. | | Except in china, I suppose. | mhoad wrote: | I really need you to understand the difference between | their marketing claims and reality. Apple is really not | the champion for privacy they claim to be beyond the | extent that they can try and hurt Google in their | marketing. | xvector wrote: | Apple's privacy is a marketing farce. They run data | centers in China that provide full access to the | government. Their anti-ad campaign was simply a push to | gain dominance in the space themselves. They make a big | fuss about end-to-end encryption but don't even bother to | end to end encrypt your photos and backups! | | I actually worked at Apple a few years ago in security. I | was wondering why we didn't E2EE photos. The reason | seemed to be - from what other engineers told me - is | that it was at the behest of law enforcement. Lot easier | to cooperate with LE and comply with NSLs when you can | simply hand over the data they need. | | Until Apple end-to-end encrypts these two things, it's | all for naught. It doesn't fucking matter if your HomeKit | data is E2EE if someone can take a look at your nudes | without any cryptographic barrier. | | Take that for what you will. Having worked at both | companies during my career in a security capacity, I see | no reason to trust one over the other wrt cloud services. | | N.B. There are people at Apple that are very passionate | about security and privacy. I was privileged to work with | these people during my career. They really try to - and | do - make a difference. My post is not an attack on them, | but on the wider vision of the company, which is somewhat | hypocritical. | LtWorf wrote: | Why would I think there is any truth in something apple's | marketing department is saying? | neodypsis wrote: | That'd be cool. | consumer451 wrote: | That's interesting. Do you have any links for more info? | nonasktell wrote: | Before any backdooring purposes there is probably some | marketing/analytics reasons, keys, OTF updates etc... | godelski wrote: | It's not a realistic danger and just fear mongering. I'm | not sure why people on HN feel the need go after Signal so | hard. I do think criticism is important (and Signal | definitely deserves plenty) but these types of criticisms | are off base and not specific to Signal, nor are they that | relevant (kinda how people post on Signal's tweets about | Iran complaining about lack of usernames. Not the time nor | place). | | It isn't meaningfully different from saying that | Google/Apple can pretend to put the real App in the App | Store but replace it with one that has a backdoor. This is | entirely possible. But also the risk of this is extremely | high and people do decompile apps like Signal, WhatsApp, | and Telegram (albeit this can only go so far). These are | all high profile and highly scrutinized apps. It is just | fear mongering. | gengear wrote: | even if you compile yourself you can't be sure. [Reflections | on Trusting Trust ](https://www.cs.cmu.edu/~rdriley/487/paper | s/Thompson_1984_Ref...) | marcodiego wrote: | Reproducible builds make an attack like this as likely as | "the whole world is a big conspiracy". | 5d8767c68926 wrote: | Has that attack ever been observed in the wild? | | While I don't know if the current incarnations of Nix/Guix | will succeed, I think we are slowly making progress towards | reproducible builds everywhere. | whydoyoucare wrote: | No one knows for sure, though compromised compilers are | not far fetched - there has been an implicit trust on | compiler toolchains. Reproducible builds are a few years | out from full general adoption. | LtWorf wrote: | Assembly code can be read to see if it matches. | marcodiego wrote: | > Has that attack ever been observed in the wild? | | Yes: https://www.quora.com/What-is-a-coders-worst- | nightmare/answe... | | Also, I remember in the 90's, people talking about a | virus that infect pascal source code files. Memory is | spotty about it. | | > While I don't know if the current incarnations of | Nix/Guix will succeed, I think we are slowly making | progress towards reproducible builds everywhere. | | Fortunately, the answer is also positive here. | anthk wrote: | Not with Guix and Mes. | UncleMeat wrote: | Being open source doesn't actually save you from exploitable | vulns related to integer arithmetic. | marcodiego wrote: | I enables independent, non-involved, non-interested parties | to check it. Also when the protocol is open, it enables | multiple implementations; keeping a known-by-few trojan style | bug in all of them is specially difficult. | UncleMeat wrote: | That's true. And yet, the linux kernel consistently has | bugs like these in it. If you want exploitable vulns in | literal media codecs go have fun taking a look at the | history of ffmpeg. | | I love open source. In so many ways it is uniquely | responsible for the development of our technology | landscape. It is _observably_ not a meaningfully different | path to secure code than closed source development. | marcodiego wrote: | The difference in "who you have to trust" is reason | enough. | UncleMeat wrote: | If your concern is about deliberately inserted exploits | by the WhatsApp developers, that's got virtually nothing | to do with the topic at hand. | ianbutler wrote: | I think that's true of all software, people are fallible | open source or not. I'd love to see average time to | discovery and reporting in closed versus open source | though. I've always heard it's better in open source, | which intuitively makes sense, and by the nature of | closed source I think gathering the data will be | challenging but valuable to see a tight comparison. | UncleMeat wrote: | Lots of people have attempted this sort of analysis. You | can find attempts at this in ICSE of FSE or whatever. But | frankly there is no way to make effective science out of | this. All of the data are always messy and make huge | compromises to get anything even close to resembling an | apples-to-apples comparison. I don't believe that anybody | who claims it is meaningfully better in open source has | any actual data really backing that up. | | If you want my opinion, there is a huge gap between the | tiny portion of open source projects that get any real | professional scrutiny and the rest of the open source | ecosystem. For something like the linux kernel, there are | a lot of professionals who are deliberately focusing | their novel tools at it and reporting issues. This is | clearly better than nothing - though I'm not certain it | is so much better than nothing to call it a big win. And | this is the result of a large number of different teams | all looking at this one codebase. | | But pretty much immediately below "the linux kernel" in | visibility, everybody stops caring. Even hugely deployed | security-critical open source projects that manage media | decoding and network stacks get absolutely zero | professional analysis. All these projects get is the | useless "drive-by CVE-report" garbage where somebody | throws an off the shelf system at the repo and reports | everything it spits out, no matter how useless the | report. | ianbutler wrote: | Good insight about the long tail of open source projects | that don't have the same level of activity or interest | from the developer community. I hadn't considered how | sharply that drop off is, even for some what still widely | used projects simply because the amount of people with | the know how, and interest, to look for vulnerabilities | is a lot smaller than the available project surface area. | UncleMeat wrote: | I'm not even sure that "long tail" is the right phrase | for it. I'd say "virtually all." The number of open | source projects that get meaningful external scrutiny | from security researchers is in the tens. Tens. | | There is some automation out there. It is largely | worthless. Some stuff is real like "hey, you've got a | private key committed over here" but pretty quickly you | run into high false positive rate garbage when looking at | automated systems. | nicoburns wrote: | It's definitely a lot better in memory safe languages | (and especially in those applications that don't depend | on C libraries under the hood). You can still have | security bugs due to logic errors, but you won't ever get | remote code execution or ability to read arbitrary | memory. And in general bugs are much more likely to cause | a crash rather than give the attacker access. | | I suspect once C has been supplanted all the way down the | stack it might actually be feasible to eliminate these | kind of vulnerabilities entirely for apps where security | is of utmost importance. | UncleMeat wrote: | It is true that memory-safe languages are a massive | massive massive boon! I believe that the entire industry | needs to be making plans to find a way to shift all | applications that operate on untrusted data away from C | and C++. But this is completely orthogonal to the | purported security benefits of making your source | available. | LtWorf wrote: | It saves you from obviously planted ones that can be found by | code scanners. | UncleMeat wrote: | Is there any evidence that this overflow was easily found | with straightforward static analysis? | omniglottal wrote: | Seems you might be missing a key point - see, without | transparent, open access to the source code, there is | _nothing_ easily found. At a certain point, if a murderer | keeps "losing" the murder weapon, you might consider the | evidence you find to be that of criminal obstruction. | There is evidence that _everything_ is more easily found | when it 's not hidden, obfuscated, or obstructed. | UncleMeat wrote: | Sure. It is easier to throw an off the shelf analysis at | source than worrying about binary decompilation with | ghidra or whatever (well, for binaries - for bytecode it | is almost exactly the same when given bytecode or | source). But is this a _meaningful_ difference? Real | researchers, both academic and non-academic, do inspect | open source code and report vulns they find. But this isn | 't actually actionable information from the perspective | of a user who wants to make a risk assessment about their | software choices. "Hey, you _can_ run ${STATIC_TOOL} on | this app " does not actually convert to "app is free from | vulns." It just doesn't. | | I love static analysis for vuln detection. I did my PhD | on it. It remains my day job. It helps us find vulns. It | doesn't actually convert us from unsafe software to safe | software. | [deleted] | upofadown wrote: | There was an interesting case where a bunch of Android | messenger things got a WebRTC based remote code execution[1]. | Signal got dinged to the extent that an attacker could trigger | it with no action on the user's part. | | The root problem here is that users want lots of features. Each | added feature, particularly super complex ones like video, | takes away from security. There is not point in spending a lot | of time on your own code if you are going to end up invoking a | whole lot of code that you can't control. | | [1] https://googleprojectzero.blogspot.com/2020/08/exploiting- | an... | xvector wrote: | > The root problem here is that users want lots of features | | Do devs have to implement these features in shitty memory- | unsafe languages? | gunwithdots wrote: | On this subject, I like to quote Pavel Durov, the founder of | Telegram: | | "Since the creation of WhatsApp, there's hardly been a moment in | which it was secure: every few months researchers uncover a new | security issue in the app. I wrote about this in detail 2 years | ago (read here if you missed it). Nothing has changed since then. | | It would be hard to believe that the technical team of WhatsApp | is so consistently incompetent. Telegram, a far more | sophisticated app, has never had security issues of such | severity." | saagarjha wrote: | > It would be hard to believe that the technical team of | WhatsApp is so consistently incompetent. Telegram, a far more | sophisticated app, has never had security issues of such | severity. | | This says a lot more about the technical competence of Pavel | Durov than it does of the WhatsApp team. | fsociety wrote: | I strongly dislike this perspective and find it naive. It is | similar to saying Mac is more secure than Windows. WhatsApp is | a huge target compared to Telegram. | | I guarantee you if we all switched to Telegram nothing would | change, and I would bet money these exploits boil down to open | source libraries which are commonly used in these apps. | | It does not pay to be high browed with security. Even Chrome, | with all its investment into security, gets pwned on a regular | basis. | staticassertion wrote: | Telegram has had an arguably worse history of issues. | AaronFriel wrote: | I wonder if someone more informed could help me understand | Telegram's business model, as I don't think I could rightly | describe the startup and product in a way that wouldn't sound | like I was casting aspersions. | | Why would anyone use Telegram over something end to end | encrypted, like Signal, Matrix, WhatsApp, Facebook Messenger, | etc.? | neongreen wrote: | I've tried all of the apps you listed and they all have | significantly less polished UX, except perhaps for Messenger. | In an alternative universe, I could very well be using | Messenger. | | My personal assessment is that if you have to communicate | something that must not ever leak out, you shouldn't use a | chat app at all, period -- because in many many cases my | interlocutor is less careful than I am (or their degree of | carefulness is unknown). You can use an E2E video app but not | a chat app. Telegram's video is E2E. | | If my entire Telegram history leaks out, I estimate that I'll | be in a bit of trouble, but not significant trouble. | | Of course, I might be wrong. In fact, while writing this | comment I realized that the risk is probably somewhat bigger | than I think it is, and in an ideal world using E2E would be | advisable. | | However, this isn't "why you should use Telegram" but rather | "why do you use Telegram", so this is why I use it -- | significantly better UX, partly network effect, and partly | that leaking my entire history is not even in the top 100 | worries I have in life. | mr_mitm wrote: | It has features that regular users really, really like. Not | having to associate the account with a phone number, | scheduled messages, groups/channels with thousands of users, | the ability to program bots, silent messages, editable | messages, ... | | Some people care more about these than security or privacy. | It's that simple. | | As for monetization, I believe they have premium stickers and | such. | godelski wrote: | I think the irony is that so many attack Signal for | pursuing more features. While they aren't features I | personally care about I do recognize that I can't have | secure communications with people that are unwilling to use | secure means of messaging. While I want anonymous | identities (not actually usernames akin to what we have | here) I do think the social graph is far more important. | Not that you can't work on both at the same time (though | Telegram and WA have significantly more developers) | yazzku wrote: | Network effects too. Telegram is big in Europe. | orangepurple wrote: | godelski wrote: | > Wouldn't be shocked at all if Moxie is part of the | Mossad. | | Hacker News is not the place to spread conspiracy theories. | If you have compelling evidence, link it. If not, keep it | to yourself. | | > Signal is suffocated by Moxie's tyranny. | | Good news, Moxie hasn't been with Signal for at least 9 | months. | comboy wrote: | Hey, I'd love to hear that one. Moxie has been around for | a long time. If somebody has rationalizations for | everything he released broken and talked about in context | of being part of Mossad that should be a fun read. | glintik wrote: | <<The Russian government hates him too.>> Telegram is one | of few popular messengers that are NOT blocked/prohibited | in Russia. So government and Durov have some agreement. | orangepurple wrote: | Russia's main security agency, the FSB (a successor to | the KGB) has branded Telegram the messenger of choice for | "international terrorist organizations in Russia." | | The government's first attempts to ban it, a year ago, | resulted in entire sections of the web, online stores, | services--even the Kremlin museum's ticket sales--being | inadvertently blocked. But the messaging app has adopted | a clever system of changing IP addresses that currently | outsmarts the government ban. | | Meanwhile, users have continued to access Telegram | through VPNs, or virtual private networks, which have | become increasingly popular. | | It is difficult or impossible to block Telegram in | Russia. | | https://decrypt.co/6454/russia-internet-ban-block- | telegram-m... | staticassertion wrote: | > Russia's main security agency, the FSB (a successor to | the KGB) has branded Telegram the messenger of choice for | "international terrorist organizations in Russia." | | You ever hear of ANoM? | mkmk3 wrote: | Coming from an app with a quarter of the users (so to say it's | been less of a subject of investigation as such). "Far more | sophisticated" also? What does that mean? | | If Whatsapp has voluntarily been adding these issues, or has | been targeted somehow, I would love to dig into research | related to that. I'll check out the details regarding this | attack in some hours. | | This perspective seems extreme given the current evidence | though. Switch to something like Matrix for sure though u.u | | Edit: I'm not a proponent for whatsapp. I just understand | telegram also isn't the best, and has a good incentive to shit | on whatsapp | marioestrada wrote: | just google for "telegram vulnerability" and you'll quickly | find how full of crap Pavel Durov is... | saddlerustle wrote: | Telegram implements video calling using bunch of sketchy C code | same as WhatsApp and Signal. There's no reason to think it's | less vulnerable these sort of bugs. | orangepurple wrote: | "sketchy c code" is a tautology | nyanpasu64 wrote: | Out-of-bounds indexing is always fun. I'm interested in | programming languages with mostly-watertight spatial memory | safety, which can prevent many exploits at a minimal | ergonomic/flexibility cost, compared to temporal memory safety | which requires a borrow checker and endless compiler complexity | (plus I find it easier to statically verify you don't use-after- | free in the limited code interacting with resource lifetimes, | than index out-of-bounds in the majority of business logic | interacting with arrays). | alskdjflksjdf wrote: | funny how all the whatsapp advisories since 2019 just move the | same vulnerability around. Always an innocent stream processor | missing a bounds check. Ooops. | Forbo wrote: | I noticed the same thing with Cisco vulns a while back. How | many times do you hard code credentials before it becomes an | intentional backdoor rather than negligence? | manquer wrote: | It is more the corporate culture on how security is treated . | | Sure it is might convenient for NSA who probably use it when | it is found , but is less likely that company of cisco size | can intentionally do something like that coordinated and keep | it secret too. | tinus_hn wrote: | Or perhaps the researchers are just looking for | vulnerabilities similar to the last one found. | saagarjha wrote: | If you keep finding bedbugs in your house it doesn't mean | someone is intentionally putting them there. It just means | that it's really hard to get rid of all of them and more pop | up naturally. | bobkazamakis wrote: | alternatively you just haven't found what keeps attracting | these bed bugs, like easy prey. ___________________________________________________________________ (page generated 2022-09-27 23:00 UTC)