All WhatsApp Users Must Update: Zero Day Bug Found in WhatsApp
Google Project Zero’s Natalie Silvanovich has discovered a critical vulnerability in the Facebook-owned WhatsApp instant messaging app. In her twitter feed last October 9, 2019, she broke the news to the public:
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp. https://t.co/vjHuWt8JYa
— Tavis Ormandy (@taviso) October 9, 2018
As of this writing, Facebook has not yet officially responded to the shout-out, but apparently, an update is already available via Google Play and App Store. However, not all users are always updating to the latest version, hence the vulnerability of easily triggering the bug with just a simple video calling action remains a plausible vector of attack for hackers.
An app crash and memory corruption error are due to a malformed RTP packet from the attacker, only possible during an attempt of a video call session using the app. “Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet. This issue can occur when a WhatsApp user accepts a call from a malicious peer,” explained Silvanovich.
Vilvanovich publicly published her research in the Chromium Project Zero Page: https://bugs.chromium.org/p/project-zero/issues/detail?id=1654.
She emphasized that both the Android and iOS version of WhatsApp are affected, and enumerated the steps to replicate the bug:
To reproduce the issue:
1) Apply the attached patch to libwhatsapp.so in the Android application using bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and alters the RTP buffer. The SHA1 of the original library I used was cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4.
2) Build the attached file, natalie2.c for the Android device the application is running on, and copy it to /data/data/com.whatsapp/libn.so.
3) Copy the files in the attached folder into /data/data/com.whatsapp/files so that /data/data/com.whatsapp/files/t0 is a valid location.
4) Restart WhatsApp and call the target device and pick up the call. The deivce will crash in a few seconds.
Silvanovich has reminded Facebook that her team abided by the strict Google Project Zero’s 90-day disclosure policy. She made the disclosure due to the social media giant’s lack of action to the reported issue with their WhatsApp mobile instant messaging app (Facebook was late in releasing a bug fixed version.). RTP protocol (Real-time Transport Protocol) is a very efficient way to minimize packet loss, hence it is the protocol chosen by WhatsApp for their streaming video call feature. The WhatsApp web version does not use it, as RTP is not fully supported on a web browser, hence they choose WebRTC instead.
The revelation of the critical zero-day bug in WhatsApp by Silvanovich has been seconded by a fellow Googler, Tavis Ormandy.
Tavis OrmandyVerified account @taviso
Tavis Ormandy Retweeted Natalie Silvanovich
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp.
By default automatic app updates are configured for Google Play Store and Apple App Store, however, to lessen chances of accidental data charges, many users opted to turn the feature off. Everyone with a WhatsApp account is strictly recommended to update.