- A bug that allowed hackers to take control of WhatsApp during video calls has been patched out.
- The bug was discovered by a security researcher from Google’s Project Zero.
- The security flaw affected iOS and Android users only while other platforms were unaffected.
A WhatsApp security flaw that was found by a Google Project Zero security researcher has been patched. The bug allowed hackers to take control of a WhatsApp account through the video call feature. Security researcher Natalie Silvanovich who found the bug revealed that it was a memory corruption bug in the non-WebRTC video calling implementation by the app.
Google’s Project Zero is responsible for finding security flaws in non-Google services and notifying them to the developers. The security unit had recently identified multiple vulnerabilities in Apple’s iOS platform as well. Project Zero’s bug report revealed “Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet. This issue can occur when a WhatsApp user accepts a call from a malicious peer.”
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp. https://t.co/vjHuWt8JYa
— Tavis Ormandy (@taviso) October 9, 2018
Since Android and iOS are the only platforms that take advantage of Real-Time Transport Protocol (RTP), they were the only platforms affected. The online web client takes advantage of WebRTC and was not affected. The details about the exploit have been posted in the Chromium bugs section with a replication guide. The method does not work anymore as it has already been patched. Android and iOS users should update to the latest version immediately to avoid any risks associated with the older version of the app.
WhatsApp fixed the issue earlier this week and kept details about the vulnerability under wraps until the patch was released. Another security issue plagued WhatsApp last week because of how Israel’s voicemail is implemented. With most telecoms offering a default password to all users, it made it easy for cybercriminals with no hacking knowledge or tools to get access to WhatsApp accounts. It led to a nation-wide security alert being announced and the issue is still being addressed.