Critical vulnerability that could compromise your WhatsApp account when answering a video call fixed
Although WhatsApp uses end-to-end encryption method in messages/calls/video calling, your smartphone could still get hacked by just answering a video call.
This is what was discovered by Natalie Silvanovich, a security researcher with Google’s Project Zero security research team. She found a severe vulnerability in WhatsApp Messenger that could have given hackers complete remote control of your WhatsApp just by video calling you over the messaging app.
Silvanovich reported the vulnerability to WhatsApp at the end of August this year. The company fixed the same on September 28 in the Android client and on October 3 in the iPhone client.
The vulnerability is a memory heap overflow issue. In other words, it is a “memory corruption bug in WhatsApp’s non-WebRTC video conferencing implementation”. The bug is triggered when a user receives a malformed RTP (Real-time Transport Protocol) packet via a video call, triggering the corruption error and crashing the WhatsApp mobile application.
“This issue can occur when a WhatsApp user accepts a call from a malicious peer,” Silvanovich said in a bug report. “It affects both the Android and iPhone clients.”
Silvanovich also published proof-of-concept code, along with instructions for reproducing the WhatsApp attack. The vulnerability only affects Android and iOS apps, since they use the RTP for video conferencing. On the other hand, WhatsApp Web that depends on WebRTC for video calls was unaffected.
Tavis Ormandy, another Google Project Zero researcher, said that the flaw was serious, as hackers could have completely taken control of your WhatsApp account and spied on your secret conversations.
“This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp,” Ormandy said.
Although the WhatsApp bug has been patched, we recommend WhatsApp users to update to the latest version of the messaging app on Android and iOS.
