At the beginning of last week, a vulnerability in WhatsApp was publicly revealed which gave attackers a possibility to run malicious code on mobile devices that could allow leak of sensitive data. The vulnerability has already been removed in the app's newer versions, so the only protective measure required is to update to the latest version.
The attack exploited buffer overflow vulnerabilities. An attacker called to Whatsapp from an unknown telephone number using the VOIP protocol, which is used for this type of calls. During the ringing and connecting phase, the attacker sent specially modified SRTCP protocol packets that caused buffer overflow. Common SRTCP packet types are used to establish a secure connection between users. The buffer overflow then enabled the attacker to run its code in the memory where the application normally does not have access. Consequently, the attacker could gain access to the infected mobile device's data and steal it.
From the user's point of view, the attack went through unnoticeably. Users did not have to accept the attacker's call since the attack took place already in the ringing phase. Once the malicious code was run, it deleted information about the missed call so the users did not realize they were being hacked.
The vulnerability was classified as critical since, among other reasons, it does not require user interaction or use of a higher-privilege account. According to the international scoring system CVSS v3.0, it is rated Critical with 9.8 points out of 10.
All Whatsapp's vulnerable versions are listed on the website of the National Vulnerability Database under
CVE-2019-3568, Android and iOS apps are listed below:
- WhatsApp for Android up to version v2.19.134
- WhatsApp Business for Android up to version
- WhatsApp for iOS up to version v2.19.51
- WhatsApp Business for iOS up to version v2.19.51
To avoid the vulnerability, please update your Whatsapp at least to the first higher version that is no longer vulnerable.