A potentially serious flaw that put users in a vulnerable configuration during video calls on Whatsapp has been fixed by the service providers.
The bug allowed hijackers to hijack the app and subsequently the accounts of the users, both on iOS and Android. It left them unarmed against the attack as soon as they answered the calls.
When the hijacker transmits a malformed RTP packet to a potential victim, heap corruption could occur -
referenced from a bug report by Natalie Silvanovich, a security researcher with Google’s Project Zero security research team.
Dissecting the execution, Natalie in the bug report says, "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," She adds, "This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients."
As the usage of RTP which stands for Realtime Transport Protocol is commonly shared by both the iOS and Android versions of the messaging app, it made both the platforms vulnerable to the hijack whereas, Whatsapp Web doesn't succumb to the attack as it uses WebRTC for video calls.
Notably, Silvanovich spotted the exploit a month earlier, but the reported vulnerabilities came into public domain only once a fix was devised. The flaws were patched on October 3rd and September 28th for iOS and Android respectively.
In the wake of bug being fixed, to be on an even safer side users are advised to have their apps updated to the latest version available for iOS and Android.
