October 09, 2018Swati Khandelwal
What if just receiving a video call on WhatsApp could hack your smartphone?
This sounds filmy, but Google Project Zero security researcher Natalie Silvanovich found a critical vulnerability in WhatsApp messenger that could have allowed hackers to remotely take full control of your WhatsApp just by video calling you over the messaging app.
The vulnerability is a memory heap overflow issue which is triggered when a user receives a specially crafted malformed RTP packet via a video call request, which results in the corruption error and crashing the WhatsApp mobile app.
Since the vulnerability affect RTP (Real-time Transport Protocol) implementation of Whatsapp, the flaw affects Android and iOS apps, but not WhatsApp Web that relies on WebRTC for video calls.
Silvanovich also published a proof-of-concept exploit, along with the instructions for reproducing the WhatsApp attack.
Although the proof-of-concept published by Silvanovich only triggers memory corruption, another Google Project Zero researcher, Tavis Ormandy, claims that “This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.”
In other words, hackers only need your phone number to completely hijack your WhatsApp account and spy on your secret conversations.
Silvanovich discovered and reported the vulnerability to the WhatsApp team in August this year. WhatsApp acknowledged and patched the issue on September 28 in its Android client and on October 3 in its iPhone client.
So if you have not yet updated your WhatsApp for Android or WhatsApp for iOS, You should consider upgrading now.
Two months ago, researchers also discovered a flaw in the way WhatsApp mobile app connects with WhatsApp Web that allowed malicious users to intercept and modify the content of messages sent in both private as well as group conversations.