WhatsApp fixes video call exploit that allowed account hijacks

If you answered a call, you were open to attack.

WhatsApp owners may have just dodged a bullet. The messaging service has fixed a security flaw that let intruders hijack the app (and thus your account) when you answered an incoming video call in Android or iOS. If an attacker sent a malformed Real-time Transport Protocol packet, it would corrupt the app's heap memory and open it to attack. Web users weren't affected, since the browser-based client relies on the WebRTC protocol.

Google security researcher Natalie Silvanovich found the exploit in late August, but it's only being widely disclosed now that there's a fix in place. WhatsApp patched the flaws on September 28th for Android users and October 3rd for iOS.

A spokesperson for WhatsApp told ZDNet there was no evidence the exploit had been used in the wild, and that it "cares deeply" about user security. Still, it adds to some ongoing concerns around WhatsApp in recent weeks. Israel's online intelligence agency recently warned about a widely used account hijacking method that took advantage of improperly secured voicemail inboxes. This doesn't mean that WhatsApp is uniquely vulnerable. It does, however, suggest that users will want to be extra-vigilant, both in locking down their account info and refusing to accept calls from strangers.