If you've not updated WhatsApp in a long while (weeks or months), it might just be the time to do so.
The messaging service has issued a fix for a major security flaw, which has been lurking around in the Android and iOS versions of WhatsApp, giving hackers an opportunity to take control of their targets' app and account via video calls.
Hijacking attempts via video calls, but how?
"Last week, Israel's cyber-intelligence agency sent out an alert about a new hacking technique that relied on poorly secured voicemail inboxes to hijack WhatsApp accounts from their legitimate owners," said the report.
"This issue can occur when a WhatsApp user accepts a call from a malicious peer," she added. She also published proof-of-concept code and instructions on how to reproduce the attack.
Memory corruption bug was found in WhatsApp's "non-WebRTC" video conferencing implementation. WhatsApp web users were not impacted because it uses, what is called, WebRTC for video calls.
The bug, which was first discovered in August, opens WhatsApp to attack by corrupting its heap memory.
In order to be exploited, the attacker has to deliver a malformed Real-time Transport Protocol packet to the target.
This, as researchers described, could be done by simple video calling, because any unaware individual could easily answer the call and have their accounts compromised.
In the biggest-ever security breach after Cambridge Analytica scandal, Facebook last month admitted that hackers broke into nearly 50 million users' accounts by stealing their "access tokens" or digital keys.
Facebook security team discovered the security issue on September 25 which was later fixed.
In the Cambridge Analytica scandal, data of nearly 87 million people was breached upon.
However, it doesn't affect WhatsApp Web
The 'memory corruption' bug was found by Google Project Zero security researcher Natalie Silvanovich, who was able to publish its proof-of-concept code and give detailed instructions for reproducing the attack.
She also found that the bug only affected WhatsApp's Android and iOS apps. The web version of the service uses WebRTC instead of RTP for video conferencing and are not at risk.
The messaging service has issued a fix for a major security flaw, which has been lurking around in the Android and iOS versions of WhatsApp, giving hackers an opportunity to take control of their targets' app and account via video calls.
Hijacking attempts via video calls, but how?
"Last week, Israel's cyber-intelligence agency sent out an alert about a new hacking technique that relied on poorly secured voicemail inboxes to hijack WhatsApp accounts from their legitimate owners," said the report.
"This issue can occur when a WhatsApp user accepts a call from a malicious peer," she added. She also published proof-of-concept code and instructions on how to reproduce the attack.
Memory corruption bug was found in WhatsApp's "non-WebRTC" video conferencing implementation. WhatsApp web users were not impacted because it uses, what is called, WebRTC for video calls.
The bug, which was first discovered in August, opens WhatsApp to attack by corrupting its heap memory.
In order to be exploited, the attacker has to deliver a malformed Real-time Transport Protocol packet to the target.
This, as researchers described, could be done by simple video calling, because any unaware individual could easily answer the call and have their accounts compromised.
In the biggest-ever security breach after Cambridge Analytica scandal, Facebook last month admitted that hackers broke into nearly 50 million users' accounts by stealing their "access tokens" or digital keys.
Facebook security team discovered the security issue on September 25 which was later fixed.
In the Cambridge Analytica scandal, data of nearly 87 million people was breached upon.
However, it doesn't affect WhatsApp Web
The 'memory corruption' bug was found by Google Project Zero security researcher Natalie Silvanovich, who was able to publish its proof-of-concept code and give detailed instructions for reproducing the attack.
She also found that the bug only affected WhatsApp's Android and iOS apps. The web version of the service uses WebRTC instead of RTP for video conferencing and are not at risk.
Comments
Post a Comment