According to a new report from Reuters, a security researcher had discovered and reported the flaw to WhatsApp back in August. The company has now fixed the potentially serious issue and the details are now in the public domain.
The researcher has explained the vulnerability as a “memory corruption bug in WhatsApp’s non-WebRTC video conferencing implementation,” which essentially means that the flaw left WhatsApp users vulnerable during video calls on the app.
“We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable. We promptly issued a fix to the latest version of WhatsApp to resolve this issue,” Ann Yeh, spokeswoman for WhatsApp, told Reuters in an email.
Natalie Silvanovich, a researcher in Google’s Project Zero security research team, first spotted the WhatsApp vulnerability at the end of August. In a bug report, Silvanovich says, “Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet.” The malformed packet that triggers the crash could be sent through a call request. “This issue can occur when a WhatsApp user accepts a call from a malicious peer,” she adds.
The discovery led to Tavis Ormandy, a vulnerability researcher at Google, declaring the issue could “completely compromise WhatsApp”. “This is a big deal,” he said on Twitter. “Just ++answering a call from an attacker could completely compromise WhatsApp.”
WhatsApp has now fixed the bug, according to Silvanovich. “This issue was fixed on September 28 in the Android client and on October 3 in the iPhone client,” she said.
In related news, WhatsApp co-founder Brian Acton has broken his silence about why he left Facebook last year, revealing monetization of the messaging service was the primary reason.