This new fault, discovered in late August by the team at Google Project Zero, was manifesting in the Android version of the app as well as iOS (Apple).
It allowed a video call armed with a trojan to force the app to bork and force close. It has been described by Tavis Ormandy at Project Zero as a “big deal”.
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp. https://t.co/vjHuWt8JYa
— Tavis Ormandy (@taviso) October 9, 2018
The problem was discovered by Natalie Silvanovich who spotted that video (such as a video call) could be tampered with during transit, with fake data packets being added to force the app to do unexpected things.
It’s thought that left unchecked it could be turned into a weapon was a more damaging payload endangering many of the 1.2bn worldwide users of the app.
It is not thought that the fault had been exploited at the time it was patched. Facebook described their action to fix the work as prompt:
“We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable,” said a spokesperson.
As with other Project Zero discoveries, the team started a 90-day stopwatch on first spotting it. If Facebook had not fixed it in time, the vulnerability would have been made public as a warning to the public.
Google has been criticised for its “name and shame” policy after revealing several unpatched flaws from Microsoft on the eve of a Patch Tuesday fix. However, others have applauded the initative which seems to be having a positive effect on the speed at which zero days are being tackled. μ
Source : Inquirer