Who you gonna call? WhatsApp fixes vulnerability linked to incoming calls

WhatsApp, owned by Facebook, has patched a bug found on its platform which could allow attackers to gain access to users’ accounts when they answered an incoming call.

The vulnerability was identified and reported in late August by Google Project Zero researcher Natalie Silvanovich. According to Silvanovich’s report, the bug occurs when a user receives a “malformed” runtime packet (which could occur when a WhatsApp user accepts an incoming call from an attacker). This triggers an error, causing the app to crash and compromising the user’s account.

The vulnerability affected both iOS and Android users. It was patched in early October.

An anonymous WhatsApp employee told Reuters that there had been no evidence that the bug had been exploited by attackers. In a statement to Reuters, a WhatsApp spokesperson said: “We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable. We promptly issued a fix to the latest version of WhatsApp to resolve this issue.”

“I’m sceptical of the claim that this attack could allow a hacker to remotely take over the victim’s device and access their conversations,” said Paul Bischoff, a privacy advocate at Comparitech. “The proof of concept describes a memory heap overflow that causes the app to crash due to memory corruption but does not indicate that it would allow remote hijacking. How could a hacker take over an app if it’s just crashed?”

However, Tavis Ormandy, who is also employed by Google’s Project Zero, commented that: “This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.”

Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation https://t.co/5sCmNznh4P

— Natalie Silvanovich (@natashenka) October 9, 2018

WhatsApp is the most popular chat app, being used by more than a billion people around the world, and favoured due to its end-to-end encryption, low data use and lack of adverts. In 2014, Facebook acquired WhatsApp for $19bn (£14.4bn). WhatsApp co-founder Brian Acton has spoken publicly about his disagreements with Facebook regarding user privacy, while his co-founder Jan Koum left the company this year, reportedly over similar disagreements. 

Facebook has undergone a series of public humiliations this year with regards to user privacy and security, most notably the Cambridge Analytica scandal – in which 87 million users had their data unwittingly collected in order to develop tools to target political adverts (including on behalf of the Trump presidential campaign) – and a recent security breach which affected 50 million users.