Latest in Gear

Image credit:

WhatsApp fixes video call exploit that allowed account hijacks

If you answered a call, you were open to attack.
Jon Fingas, @jonfingas
October 10, 2018
Share
Tweet
Share

Sponsored Links

Reuters/Dado Ruvic

WhatsApp owners may have just dodged a bullet. The messaging service has fixed a security flaw that let intruders hijack the app (and thus your account) when you answered an incoming video call in Android or iOS. If an attacker sent a malformed Real-time Transport Protocol packet, it would corrupt the app's heap memory and open it to attack. Web users weren't affected, since the browser-based client relies on the WebRTC protocol.

Google security researcher Natalie Silvanovich found the exploit in late August, but it's only being widely disclosed now that there's a fix in place. WhatsApp patched the flaws on September 28th for Android users and October 3rd for iOS.

A spokesperson for WhatsApp told ZDNet there was no evidence the exploit had been used in the wild, and that it "cares deeply" about user security. Still, it adds to some ongoing concerns around WhatsApp in recent weeks. Israel's online intelligence agency recently warned about a widely used account hijacking method that took advantage of improperly secured voicemail inboxes. This doesn't mean that WhatsApp is uniquely vulnerable. It does, however, suggest that users will want to be extra-vigilant, both in locking down their account info and refusing to accept calls from strangers.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The redesigned Tesla Model S interior swaps in a steering yoke

The redesigned Tesla Model S interior swaps in a steering yoke

View
NASA's asteroid-sampling OSIRIS-REx probe will head back to Earth in May

NASA's asteroid-sampling OSIRIS-REx probe will head back to Earth in May

View
Discord bans Reddit’s WallStreetBets for hate speech as scrutiny intensifies

Discord bans Reddit’s WallStreetBets for hate speech as scrutiny intensifies

View
US arrests far-right Twitter troll for 2016 election interference

US arrests far-right Twitter troll for 2016 election interference

View
Amazon’s motorized Echo Show 10 goes on sale February 25th | Engadget

Amazon’s motorized Echo Show 10 goes on sale February 25th | Engadget

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr