WhatsApp has fixed a bug in its mobile apps on Android and iOS that could potentially allow hackers to crash the app during a call. A security researcher had discovered and reported the flaw to WhatsApp back in August. The company has now fixed the potentially serious issue and the details are now in the public domain. The researcher has explained the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation." This essentially means that the flaw left WhatsApp users vulnerable during video calls on the app.
Natalie Silvanovich, a researcher in Google's Project Zero security research team and a Tamagotchi hacker first spotted the WhatsApp vulnerability. In a bug report, Silvanovich says, "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet." The malformed packet that triggers the crash could be sent through a call request. She adds, "This issue can occur when a WhatsApp user accepts a call from a malicious peer."
It is worth mentioning that just the WhatsApp app on Android and iOS were affected because they use the Real-time Transport Protocol (RTP) for video calls. The WhatsApp for Web client was unaffected since it uses WebRTC for video conferencing. The researcher has also published proof-of-concept code and instructions on how to reproduce such an attack.
We reached out to WhatsApp to comment on the bug and its fix, and received a statement from a company spokesperson, "WhatsApp cares deeply about the security of our users. We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable. We promptly issued a fix to the latest version of WhatsApp to resolve this issue."
The issue also drew the attention of another Google researcher Tavis Ormandy, who in a tweet, said, "This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp," indicating that crashing the victim's app may not be the worst thing that could be done.
Notably, the bug was fixed on September 28 in the WhatsApp Android client and on October 3 in the iPhone client, Silvanovich said. Since the WhatsApp bug has been patched, the company recommended users should update to the latest version of the app on Android and iOS.