WhatsApp has fixed a bug in the app, which allowed hackers to take over the app and crash the devcie during an incoming video call. The bug was fixed in both the Android and iOS versions of the app, according to a report on ZDNet. It was discovered by Natalie Silvanovich who is security researcher with Google’s Project Zero security research team. She has also shared details of the bug on the Chromium blog.
According to the researcher, the bug is a “memory corruption bug in WhatsApp’s non-WebRTC video conferencing implementation.” The problem can take place when a user accepts a video call on WhatsApp from a malicious peer, notes the report on ZDNet.
“Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet,” Silvanovich said in a bug report. Essentially if the video call is from a malicious user, they can exploit the bug to cause a crash.
Answering a video call from an attack could compromise WhatsApp. The web version of the app is not impacted because it relies on a different WebRTC protocol for video calls. On Android and iOS, WhatsApp is using what is called a Real-time Transport Protocol (RTP) for video calls, which had this bug.
Based on the bug report, once the hacker calls the device and the user takes the call on WhatsApp, the device ends up crashing in a few seconds. The researcher also noted that she had “modified the Android target binary to disable WhatsApp’s custom crash handling.”
The blog post of the bug report also notes that the issue was fixed via an update on September 28 on Android, while the iOS update was issued on October 3. So users who rely on WhatsApp for video calls, and daily messages, should ideally make sure the app has been updated to the latest version in order to ensure these are not impacted by the problem.
WhatsApp has also issued a statement on the same and said they promptly fixed the issue to resolve this bug problem, adds the report. WhatsApp also said there was no evidence anyone actually carried out this kind of attack