Critical WhatsApp Bugs Could Have Let Attackers Hack Devices Remotely
WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices.
One of them concerns CVE-2022-36934 (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call.
The issue impacts the WhatsApp and WhatsApp Business for Android and iOS prior to versions 126.96.36.199.
Also patched by the Meta-owned messaging platform is an integer underflow bug, which refers to an opposite category of errors that occur when the result of an operation is too small for storing the value within the allocated memory space.
The high-severity issue, given the CVE identifier CVE-2022-27492 (CVSS score: 7.8), affects WhatsApp for Android prior to versions 188.8.131.52 and WhatsApp for iOS version 184.108.40.206, and could be triggered upon receiving a specially crafted video file.
Exploiting integer overflows and underflows are a stepping stone towards inducing undesirable behavior, causing unexpected crashes, memory corruption, and code execution.
WhatsApp did not share more specifics on the vulnerabilities, but cybersecurity firm Malwarebytes said that they reside in two components called Video Call Handler and Video File Handler, which could permit an attacker to seize control of the app.
A spokesperson for WhatsApp told The Hacker News that “we discovered [the flaws] ourselves and there was no evidence of exploitation.”
Vulnerabilities on WhatsApp can be a lucrative attack vector for threat actors looking to plant malicious software on compromised devices. In 2019, an audio calling flaw was exploited by the Israeli spyware maker NSO Group to inject the Pegasus spyware.