Whatsapp has recently fixed a critical bug in Android and iOS application that allowed hackers to hijack user’s application with a video call. The vulnerability was discovered at the end of August 2018 and was fixed by Facebook in early October.
The vulnerability as described by the researcher was a “memory corruption bug in WhatsApp’s non-WebRTC video conferencing implementation.”
What is the vulnerability?
The vulnerability is caused by a memory heap overflow issue which is triggered when a user accepts a malformed RTP packet via a video call request. This in return results in corruption and crashing the application.
Only WhatsApp’s Android and iOS clients are affected, as they’re the only ones who use the Real-time Transport Protocol (RTP) for video conferencing. WhatsApp’s web client is not affected because it uses WebRTC for video calls.
A WhatsApp employee said there was no evidence that hackers actually exploited the bug to launch attacks. A Google spokesman also said the company was not aware of the bug ever being used in an attack before getting patched.
Comments from Ankush Johar, Director at Infosec Ventures – an organisation that provides complete infrastructure security solutions for commercial and government clients of all sizes.
Although this vulnerability has recently been discovered, it is not known for how long it has been out in the open. It is possible that certain malicious hackers might already be exploiting this while staying undetected.
Although the vulnerability is patched now, users must take this a lesson and stay vigilant while interacting with unknown people especially over e-channels such as email, e-chat applications and social media.
Security of an individual is in his own hands and the only way to stay secure is to simply assume that no matter how you are communicating, someone, somewhere is already snooping on it and hence act accordingly.
Comments from Manish kumawat, Director at Cryptus Cyber Security Pvt Ltd, an organisation that provides Cyber Security Services, Corporate Trainings to the govt. & Private organisations.
A security researcher had discovered a critical bug in whatsapp and reported the bug to the WhatsApp back in August. The Company has fixed the this critical severity bug and the details are now available in the public domain. The bug exists because WhatsApp use the Real-time Transport Protocol for video calls. The WhatsApp for Web was unaffected because it uses WebRTC for video conferencing. The researcher has published proof-of-concept code on the websites, and instructions also on how to perform the attack. Users should update to the whatsapp’s latest version on Android and iOS.