WhatsApp Header

A critical vulnerability in the WhatsApp messaging app for Android and iOS was fixed today that could have been activated simply by a user answering a call.  

Google Project Zero researcher Natalie Silvanovich stated in a bug report that heap corruption in the WhatsApp app could occur when an attacker sends a malformed RTP packet to a victim. 

"Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," stated the Google Project Zero bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients."

RTP stands for Realtime Transport Protocol and is commonly used to send audio and video over the Internet. In this case, both the iOS and Android versions of WhatsApp use this protocol and thus were vulnerable.

Google Project Zero does not disclose reported vulnerabilities until the bug is fixed or 90 days has elapsed. As the vulnerability in WhatsApp for Android was fixed on September 28th and iOS on October 3rd,  Google Project Zero was able to disclose the vulnerability to the public.

While the PoC outlined in the bug report only causes the app to crash, it could have been modified to further compromise WhatsApp.

Related Articles:

Tumblr Fixes Security Bug that Leaked Private Account Info

Facebook States 30 Million People Affected by Last Month's "View As" Bug

Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Adobe Releases October 2018 Security Updates. None for Flash Player!