WhatsApp Fixes Bug That Let Hackers Take Over App When Answering a Video Call (zdnet.com)

← Back to Stories (view on slashdot.org)

WhatsApp Fixes Bug That Let Hackers Take Over App When Answering a Video Call (zdnet.com)

Posted by msmash on Wednesday October 10, 2018 @09:20AM from the security-woes dept.

WhatsApp developers have fixed a bug in the Android and iOS versions of the WhatsApp mobile app that allowed hackers to take over the application when users answered an incoming video call. From a report: Natalie Silvanovich, a security researcher with Google's Project Zero security research team, discovered the WhatsApp vulnerability at the end of August. She described the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation." "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," Silvanovich said in a bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer." It is unclear how popular the video feature is on WhatsApp, which is used by more than 1.2 billion users. But in July, the company said users were spending over two billion minutes on calls (including voice) each day.

11 comments

Min score:

Reason:

Sort:

why by Anonymous Coward · 2018-10-10 09:21 · Score: 0

this is still around? its 2018.
G'Bye Landlines by Arzaboa · 2018-10-10 09:49 · Score: 2

There will be a day, not so long in the future, where people drop land lines completely, for a system that can not be spoofed, and that is encrypted end-to-end. AT&T and the like better pay attention or that business will end up in the trash heap of history.
--
Mr. Watson — Come here — I want to see you - Alexander Graham Bell
1. Re:G'Bye Landlines by sjames · 2018-10-11 05:36 · Score: 1
  
  I find it amusing how many years AT&T and Bell promised us video phones and other vaporware, and extolled the virtues of caller ID etc. and never really delivered (since caller ID is now mostly spoofed junk calls) but WhatsApp and similar delivered. Obviously, the technology has caught up with the vision (necessarily since WhatsApp, Duo, and others actually work), so what about it AT&T, I might even ask them so WhatsApp with that?
2. Re:G'Bye Landlines by Malcolm+Chan · 2018-10-11 21:00 · Score: 1
  
  It would be nice to see such a system that is open and standardised, though. Having everyone on WhatsApp would be... dangerous, to say the least!
  
  --
  /MC
Re: Sand n1ggers by Anonymous Coward · 2018-10-10 10:55 · Score: 0

Huh?
Did you get dropped on your head repeatedly?
All my white friends (Trump voters all) use this application. Grow up.
"Bug" by Anonymous Coward · 2018-10-10 11:01 · Score: 0

... not a surveillance feature.
1. Re:"Bug" by Anonymous Coward · 2018-10-10 20:02 · Score: 0
  
  If it wasn't a bug they couldn't blame "hackers", those convenient bogeymen of the cyber spaces you can blame for all your failings.
  Notice how the reporting implies only "special" people might abuse this defect, they're called "hackers" and you'd be out of your mind to call yourself that because to the writer it implies "criminal". And who would call themselves that, eh?
  In my mind it stands to reason because the computer security industry is full of "special"people. And not in a good way. Why else do they keep on failing to secure us so badly? Do they do it on purpose so big companies can hide behind bogeymen? Or is it so inept computer security writers have easy bogeymen to blame for what otherwise ought to be very embarrassing to themselves indeed? Think about it.
2. Re: "Bug" by Anonymous Coward · 2018-10-10 21:05 · Score: 0
  
  In my mind it stands to reason because the computer security industry is full of "special"people. And not in a good way. Why else do they keep on failing to secure us so badly? Do they do it on purpose so big companies can hide behind bogeymen? Or is it so inept computer security writers have easy bogeymen to blame for what otherwise ought to be very embarrassing to themselves indeed? Think about it.
  The computer security industry has some very talented people. The computer software industry on the other hand... it's full of dollar-a-day Elbonians, clueless PHBs and market-o-droids who want feature after feature after crappy feature. Exponentially driving up complexity is a recipe for bugs and then hiring the cheapest (read: aren't talented enough to earn more) to build it is a recipe for the clusterfuck we currently have.
  Computer software is also used by the clueless. It's impossible to reliably secure them if they wont take an interest in the security itself. The Signal protocol is a reasonable attempt at the best security for the clueless, but can provide solid security for anyone that actually verifies keys and worries about key change warnings.
  But management wants to dumb down most software and burden it with malfeatures to the point it cannot be reliably secured by even the best of us.
3. Re: "Bug" by Anonymous Coward · 2018-10-10 21:55 · Score: 0
  
  The computer security industry has some very talented people.
  Too bad they insist on going full on retard with their talents, individually and collectively.
  
  The computer software industry on the other hand... it's full of dollar-a-day Elbonians, clueless PHBs and market-o-droids who want feature after feature after crappy feature.
  Let's not forget that despite your accurate description the computer software industry does its level best to hire the best and brightest young graduates. Or at least they say they do.
  The computer security industry is pretty much a subset of this. They get a subset of the influx of very talented people also. The results are comparable.
  
  Exponentially driving up complexity is a recipe for bugs and then hiring the cheapest (read: aren't talented enough to earn more) to build it is a recipe for the clusterfuck we currently have.
  Pet peeve: If it's exponential (==term of art), then what's the exponent? (To fix, pick a different word. Like "explosively", or go for outright drama with "dramatically". Delivered with a little Thespian schwung.)
  Anyway, the computer security industry knows full well that you can't secure software by bolting on "security solutions" later, and yet that has been their mainstay product-and-service from day one.
  (intel buying microsoft windows add-on software vendor mcafee to "do security on the chip level". Layer violation much? Not to mention the other idiot assumptions that helped mother that particular fuck-up.)
  
  Computer software is also used by the clueless. It's impossible to reliably secure them if they wont take an interest in the security itself.
  Don't blame the users for the promises the programmers failed to live up to.
  
  But management wants to dumb down most software and burden it with malfeatures to the point it cannot be reliably secured by even the best of us.
  And you let them.