whatsapp with a serious gap!
Is it possible to take control of someone's smartphone simply by calling this person? Maybe in a bad action movie, because in reality it is not so easy. However, it can not be said that this is not feasible. Google Project Zero presented an attack on the WhatsApp messenger, allowing you to remotely take control of an application on the victim's smartphone. All that is required is that the attacker will receive an incoming video call.
Luka was discovered by Natalie Silvanovich, working at Project Zero. Attackers can take control of the communicator by overflowing the memory stack. The overflow occurs when the user receives a specially crafted RTP packet ( Real-time Transport Protocol , a real-time transmission protocol used for voice and video calls, among others). Invalid packet is sent while "ringing" to the attacked person. When you receive a call, the WhatsApp app terminates immediately.
It is worth noting that the browser version of WhatsApp uses WebRTC for video calls, so it is not susceptible to this attack. It can be performed on Android and iOS applications. Details can be found in the publication , along with the description of the next steps of the attack.
The very end of application work and violation of memory integrity is just the first step to attack. Topic continued with Tavis Ormandy from Project Zero. In his opinion, the problem is very serious, because when answering an incoming call, the user also exposes himself to further attacks. The failure of the communicator opens vulnerabilities through which you can take control of the application, get into the user's account and listen in on the conversations that it runs. Because WhatsApp uses the phone number as the user ID, all you need to know is someone's number to attack
Silvanovich discovered the gap in August and immediately notified the authors of the communicator. The patch for the Android version was released on September 28, for iOS on October 3. If you have not updated your messenger in the last few weeks, it's worth doing it as soon as possible. You can find the latest version of WhatsApp in our database of applications for Android and iOS .
