WhatsApp Bug Allowed Hackers To Hack Your Account With Just A Video Call

Updated on

A security researcher at Google’s Project Zero discovered a strange bug in WhatsApp that allowed hackers to take control of the app if they just knew your phone number. All they had to do was placing you a video call and getting you to answer it. Though the WhatsApp bug was disclosed only on Tuesday, Google researcher Natalie Silvanovich had discovered and reported it to the Facebook-owned company back in August.

How the WhatsApp bug made you vulnerable to attacks

The WhatsApp bug has been fixed now in both iOS and Android versions of the app. Natalie Silvanovich explained on Chromium how you could lose control of your account by taking a WhatsApp video call from a bad actor. Natalie described it as a “memory corruption bug in WhatsApp’s non-WebRTC video conferencing implementation.” It causes the device to crash within seconds of taking the video call.

She disclosed the WhatsApp bug to the public only after the company fixed it via a software update. Silvanovich wrote in a bug report that heap corruption could occur when the WhatsApp app “receives a malformed RTP packet.” The bug affects only the Android and iOS versions of WhatsApp because they use the Real-time Transport Protocol (RTP) for video calling. The WhatsApp Web is not affected because it relies on WebRTC for video calls.

The Google researcher also shared a proof-of-concept code and instructions to reproduce the hacking attack. The WhatsApp bug was fixed on Android devices on Sept.28 and for iOS devices on Oct.3 via an update. The messaging company said in a statement to ZDNet that it “cares deeply about the security of our users.” It works with security researchers around the world to ensure that the service “remains safe and reliable.”

WhatsApp told ZDNet that it didn’t find any evidence of hackers exploiting this bug to attack other users. It encouraged people to update their app to the latest version to fix the said WhatsApp bug. With more than a billion active users, WhatsApp is a lucrative platform for hackers to carry out attacks.

WhatsApp has been offering video calls for a long time. It introduced group video calling with up to four people a couple of months ago. The group video calling works even under slow network connections, which is important because most WhatsApp users are in emerging countries such as India and Brazil where Internet connectivity is not that strong. The group video and voice calls are end-to-end encrypted.

Hackers also use the voicemail trick to control your WhatsApp

Earlier this month, Israeli cyber-security agency sent out a nation-wide security alert about a new method of hacking WhatsApp. It involves taking advantage of poorly secured voicemail inboxes. The technique was discovered about a year ago by an Israeli developer, but hackers began using it widely in the last few months.

The cyber security agency noted that most voicemail users often don’t change their account’s default password, which means their password remains 1234 or 0000. An attacker could use the voicemail system to hack your WhatsApp account. The hacker would enter the phone number of the victim they are trying to target while installing new WhatsApp account on their own phone.

Since WhatsApp will send the one-time password to the legitimate user’s phone number (which the hacker doesn’t have access to), the attacker would enter the wrong OTP. After multiple wrong OTP attempts, the messaging service will show you the option to use voice verification. WhatsApp will make a voice call to the legitimate user to tell them the verification code. If that user didn’t answer the call, the OTP will end up in their voicemail. The hacker could access their voicemail to access the verification code and then hack into their WhatsApp account.

Facebook has been at the center of numerous security issues since last year. Just when though the Cambridge Analytica scandal was the biggest misuse of Facebook data, the company disclosed recently that private data of more than 50 million users was leaked.

Leave a Comment