What would happen if your smartphone could be hacked through the videocall service in WhatsApp?
This might sound like fiction, but the digital forensics expert Natalie Silvanovich found a critical vulnerability in WhatsApp, the most used instant messaging service, which could have allowed a hacker to take full control of the application to through the videocall function.
The vulnerability is a memory overflow issue that is triggered when a user receives an incorrectly-formatted RTP package that is specially designed through a videocall request, resulting in corruption failure and causing the crash of the mobile application.
Since the vulnerability affects the implementation of WhatsApp of RTP (real-time transport protocol), the flaw affects iOS and Android applications, but not the version of WhatsApp Web, because it is based on WebRTC to make video calls.
The digital forensics specialist also unveiled a vulnerability proof of concept, in addition to the instructions for carrying out the attack.
Although the proof of concept published by Silvanovich only causes damage to the memory, another investigator, Tavis Ormandy, affirms that the problem resides there.
“Answering a call from an attacker could completely compromise WhatsApp”, the expert considers.In other words, hackers only need the victim’s phone number to fully compromise their WhatsApp account and spy on their conversations.
Silvanovich reported on the vulnerability to the WhatsApp team in August of this year. The developers recognized and solved the problem for Android in September, while the solution for iOS came in recent days.If you have not yet updated your WhatsApp for any operating system, digital forensics specialists from the International Institute of Cyber Security recommend installing the update as soon as possible.
Just a couple of months ago, researchers also discovered a flaw in the way the mobile app of WhatsApp connects to WhatsApp Web, which allowed malicious users to intercept and modify the content of messages sent both in private and group conversations.
All of these flaws have been gradually corrected in the updates released by the application developers.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.