With over a billion users around the world using both Android and iPhone handsets, WhatsApp is one of the world’s most popular messenger apps thanks to its privacy-focused nature.
A hacker could have taken full control of an app on a user’s phone remotely by exploiting these two critical zero-day vulnerabilities.
The newly-identified vulnerabilities are:-
- CVE-2022-36934: Integer Overflow Bug
- CVE-2022-27492: Integer Underflow Bug
These two vulnerabilities were discovered by the internal security team of WhatsApp. These two security flaws were marked as “Critical” and received a score of 10/10.
By exploiting these vulnerabilities, a threat actor could perform several illicit activities:-
- Launch malware
- Steal sensitive data
- Watch over the user’s activities
- Hack the entire device
As soon as the user attends the call, the code would run automatically on their device. Both critical vulnerabilities have been fixed, so the threat is no longer a concern.
According to WhatsApp Advisory “An integer overflow(CVE-2022-36934) in WhatsApp for Android prior to v18.104.22.168, Business for Android prior to v22.214.171.124, iOS prior to v126.96.36.199, Business for iOS prior to v188.8.131.52 could result in remote code execution in an established video call.”
“An integer underflowCVE-2022-27492) in WhatsApp for Android prior to v184.108.40.206, WhatsApp for iOS v220.127.116.11 could have caused remote code execution when receiving a crafted video file.”
As a result of CVE-2022-36934, an attacker has been able to execute specially crafted arbitrary code without any involvement from the user during an established Video call.
The term “integer overflow”, also referred to as “wraparound”, occurs when the number of integers is increased in a particular place.
According to the GBHackers report, The CVE-2022-27492 vulnerability involves user interaction and allows remote code execution by threat actors. Video File Handler is a component that works with video files and has been known to have a code block issue.
It is possible for a memory corruption vulnerability to be exploited if an unknown input is used.
Here below we have mentioned the versions fixed:-
- Android prior to v18.104.22.168
- Business for Android prior to v22.214.171.124
- iOS prior to v126.96.36.199
- Business for iOS prior to v188.8.131.52
- Android prior to v184.108.40.206
- iOS v220.127.116.11
In the underground market, the 0-day vulnerabilities were estimated to sell for between $5k to $25k. Apart from this, GBHackers claimed:-
“It has not been detected that any of the vulnerabilities described above have been exploited in any way.”
In order to prevent being affected by these critical RCE bugs, the users are advised to update their WhatsApp Messenger to the latest version.