WhatsApp’s new exploit causes ructions in the instant-messaging world
WhatsApp is a messaging app that most users are familiar with and it allows one to text, chat and share media, including voice messages and videos, with individuals or groups. The app offers encrypted messaging by default to its 1.5 billion users worldwide. Owned and run by Facebook, the company discovered a new vulnerability in early May and have released a patch for it on Monday 13th May 2019. This new WhatsApp exploit injects malware onto targeted phones and steals data from them, simply by calling the victim. The targets do not even have to answer the call to become infected and the calls leave no trace on the phone’s log.
Remote-exploitable bugs can exist in any application that receives data from untrusted sources. That includes WhatsApp calls, which use the voice-over-internet protocol (VoIP) to connect users. According to the public statements Facebook has shared, the WhatsApp vulnerability came from an extremely common type of bug known as a buffer overflow. Most apps have a buffer where they store extra data. Hackers are aware of this strategy and they intentionally overburden the buffer, so that the extra data is forced to overflow into other parts of the memory. This then gives attackers leverage to gain more control.
Security has never been WhatsApp’s primary design objective, which means WhatsApp must rely on complex VoIP stacks that are known for having vulnerabilities. WhatsApp’s protocols for establishing a connection is rather complex, deeming this application a playground for exploitable bugs and this new bug can be triggered without the other end even picking up the call.
WhatsApp has not yet provided information on how they discovered this bug or shared any specifics on how it works. They have expressed though that they’re busy with infrastructure upgrades in addition to implementing a patch to ensure that customers can’t be targeted with other phone-call bugs.
Attackers are always trying to find a vulnerability before the owners of the application can patch it. It is an inevitable part of software development, which emphasises the importance of closing security gaps as soon as possible. However, a hack that requires nothing but an incoming phone-call seems very overwhelming to protect yourself from. Make sure to download the updated WhatApp patch on all of your devices.