A critical vulnerability in the WhatsApp messaging app for Android and iOS was fixed today that could have been activated simply by a user answering a video call.
Google Project Zero researcher Natalie Silvanovich stated in a bug report that heap corruption in the WhatsApp app could occur when an attacker sends a malformed RTP packet to a victim.
“Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet,” stated the Google Project Zero bug report. “This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.”
RTP stands for Realtime Transport Protocol and is commonly used to send audio and video over the Internet. In this case, both the iOS and Android versions of WhatsApp use this protocol and thus were vulnerable.
Google Project Zero does not disclose reported vulnerabilities until the bug is fixed or 90 days has elapsed. As the vulnerability in WhatsApp for Android was fixed on September 28th and iOS on October 3rd, Google Project Zero was able to disclose the vulnerability to the public.
While the PoC outlined in the bug report only causes the app to crash, it could have been modified to further compromise WhatsApp.
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp. https://t.co/vjHuWt8JYa
— Tavis Ormandy (@taviso) October 9, 2018