WhatsApp, a serious security bug in the video calls

The WhatsApp development team has fixed a bug in the iOS and Android versions of WhatsApp that allowed to take control of the app when the interlocutor would respond to an ad-hoc video call with malicious packages. Natalie Silvanovich, security researcher at Project Zero, was the one who discovered the whole thing, the Google laboratory constantly working on the search for possible security breaches on proprietary and third-party software and services.

The WhatsApp flaw was discovered around the end of August, and has been described as a "memory corruption bug within the non-WebRTC implementation of WhatsApp video conferencing." This type of corruption can occur when the WhatsApp mobile app for iOS and Android receives a faulty RTP packet, with the problem that can occur when a video call from a malicious source is accepted.

The famous security researcher Tavis Ormandy commented on Twitter: "This is really serious: simply responding to a call from an attacker could completely compromise WhatsApp". To be affected are all the clients that use the RTP protocol for video calls, then those for iOS and Android, while WhatsApp Web is not involved in the problem as it uses the WebRTC protocol.

To prove the existence of the vulnerability, Silvanovich published a so-called "proof-of-concept" code complete with instructions to reproduce the attack. At the time of writing, however, it is no longer reproducible on updated clients since WhatsApp has fixed the problem in an update released on September 28 for the Android client, and October 3 for the iOS client. If you have not yet updated the apps since then, then do it.

WhatsApp also commented: "WhatsApp takes great care of the safety of its users and we are constantly confronting security researchers around the world to ensure that the app remains safe and reliable. ". Furthermore, according to the company, there is no evidence that the bug has been exploited in real attacks against service users.