WhatsApp has fixed a bug that could have caused the app on both Android and iOS platforms to crash on receiving calls
WhatsApp has released a fix for a vulnerability on its Android and iOS apps that may have allowed the hackers to potentially crash the app by making a call. The flaw was spotted by a researcher working for Google Project Zero who informed the Facebook-owned company about it in August this year. The miscreants can trigger a memory heap overflow that can cause the app to ultimately crash as soon as the user receives a call.
Natalie Silvanovich brought this bug to the notice of WhatsApp on August 31. However, since the bug has been acknowledged and patched by WhatsApp, Silvanovich decided to make the bug public by posting it on the forum for Project Zero.
What happens is when a WhatsApp user receives a call, a nefarious person or syndicate can cause a deformity in the RTP protocol, which is what WhatsApp uses for VoIP. The ill RTP packet activates the process of heap corruption that leads WhatsApp to crash on both Android and iOS platforms. “This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients,” she wrote in the bug report.
The WhatsApp Web client apparently was not impacted by the flaw since it uses WebRTC for calls. However, WhatsApp’s mobile app for both Android and iOS could be affected, which is why it is advisable to update the app to the latest version. The flaw report began circulating in the wild, causing another Google researcher Travis Ormandy to take note of the bug. He tweeted – “This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.”
The number of bugs and security loopholes in WhatsApp is not uncommon. Almost every other week, there are a plethora of such bugs that are unearthed by researchers. Recently, researchers at G Data Labs found a malware in the making that could have compromised user’s data stored via WhatsApp, besides causing the phone to even crash. The spyware contained several layered functions that could potentially seek user permission to activate a series of attacks on various functionalities of the smartphone including gathering phonebook numbers, reading SMS, and more.