Nasty WhatsApp Bug Left Users Vulnerable to Attack by Simply Answering a Video Call

Illustration for article titled Nasty WhatsApp Bug Left Users Vulnerable to Attack by Simply Answering a Video Call
Photo: Getty

On Tuesday, a researcher for Google’s Project Zero security team published a report revealing how WhatsApp users could lose control of their account just by answering a video call from a bad actor.


Natalie Silvanovich ‏published her findings on Google’s Chromium blog and explained that the vulnerability was discovered in August and was promptly reported to WhatsApp’s parent company Facebook. Project Zero hunts down vulnerabilities and companies are given 90 days to fix them before the findings are made public. In this case, Silvanovich said that a patch rolled out for Android on September 28 and was applied for iOS on October 3.

Gizmodo contacted Facebook to confirm the fix was in place, a spokesperson sent us the following statement:

We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable. We promptly issued a fix to the latest version of WhatsApp to resolve this issue.

Silvanovich explained that the vulnerability worked by triggering a corruption error and crashing the app when a malformed RTP packet was received. The technique—a video call to a user with the hope that they answer—was identified as a very simple delivery method, though it was not necessarily the only method. It’s a reminder that even if a hacker is only able to get ahold of a potential victim’s phone number, there are ways to exploit it. With 1.2 billion users, WhatsApp represents a tempting attack surface. “This is a big deal,” Silavovich’s Google colleague Tavis Ormandy tweeted. “Just answering a call from an attacker could completely compromise WhatsApp.”

The report comes just days after Facebook announced its new Portal videophone, a product release that was immediately met with skepticism as Facebook has been plagued with privacy and security scandals for years.

[Natalie Silvanovich, Reuters]