WhatsApp closes leak that led to crash after receiving a call
According to Natalie Silvanovich, a researcher with Google’s Project Zero security team, WhatsApp patched a vulnerability in its apps for Android and iOS that could lead to a crash after receiving a call from an attacker.
Silvanovich describes her findings in an entry on Project Zero’s bug tracker. There she writes in an update that WhatsApp released a patch on September 28 for Android and on October 3 for iOS. She claims that a malicious caller was able to remotely crash WhatsApp into a target’s client by using a certain RTP package. According to the researcher, receiving that packet leads to heap corruption.
She has made no attempt to turn her discovery into an exploit, she writes on Twitter. There she mentions that the leak does have ‘a lot of potential’. It does not provide any information on whether the vulnerability, for example, allowed remote code execution. Project Zero colleague Tavis Ormandy poses in a private tweet that it is a serious vulnerability that only requires an attacker to place a call.