WhatsApp plugs a video call exploit that allowed account hijacks

Joanna Estrada
October 11, 2018

Google Project Zero whizkid and Tamagotchi whisperer Natalie Silvanovich discovered and reported the flaw, a memory heap overflow issue, directly to WhatsApp in August. She found a severe vulnerability in WhatsApp Messenger that could have given hackers complete remote control of your WhatsApp just by video calling you over the messaging app.

We reached out to WhatsApp to comment on the bug and its fix, and received a statement from a company spokesperson, "WhatsApp cares deeply about the security of our users".

A critical vulnerability in the WhatsApp messaging app for Android and iOS was fixed today that could have been activated simply by a user answering a call. This malformed RTP packet could be delivered to the victim's phone via WhatsApp video calls. It does, however, suggest that users will want to be extra-vigilant, both in locking down their account info and refusing to accept calls from strangers. The researcher has also published proof-of-concept code and instructions on how to reproduce such an attack.

The bug report explains that the bug affected the iOS and Android users only because they use Real-time Transport Protocol (RTP) for video calls. But, to be on safer side, WhatsApp users are advised to exercise caution while receiving video calls from strangers. "Just answering a call from an attacker could completely compromise WhatsApp", Ormandy said.

Notably, the bug was fixed on September 28 in the WhatsApp Android client and on October 3 in the iPhone client, Silvanovich said.

According to the Register, WhatsApp users on mobile can protect themselves from the flaw by updating to the app's latest version, in which the bug has been patched.

Other reports by Click Lancashire

Discuss This Article