WhatsApp fixes two zero-day vulnerabilities that could have led hackers to take complete control of the app on a user’s device. The common vulnerability and exposure (CVE) were assigned a score of 10/10 and were marked as critical in the severity group. Due to the vulnerabilities, a threat actor could launch malware, steal sensitive data, watch over the user’s activities, and hack the entire device, among other threats.
Using the vulnerabilities, a hacker could remotely execute an arbitrary code by sending a video file or a video call that would initiate the attack. The code would automatically run when a user attends the call.
Although the two critical vulnerabilities have been fixed, a report by news platform GBHackers suggests that the severity of its impact could have been high. The vulnerabilities were detected by WhatsApp’s internal team and impacted Android and IOS devices. However, no user has been affected so far. “We make public reports on potential issues we have fixed consistently with industry best practices. In this instance, there is no reason to believe users were impacted,” a WhatsApp spokesperson told the news website.
Details of the vulnerabilities
While the CVE-2022-27492 and CVE-2022-36934 were fixed, no further information has been available. Moreover, exploits based on these vulnerabilities are yet to be detected. Vulnerabilities as severe as these can put billions of WhatsApp users at risk. Hence, users need to keep the app updated to avoid being victims of such exploits and bugs.
CVE-2022-36934, the integer overflow bug, can allow the attacker to run an arbitrary code during a video call. It gives the hacker complete access to the WhatsApp messenger app and does not require any action from the user’s side.
CVE-2022-27492, the Integer underflow bug, requires user interaction to run the planned exploit. The underflow bug can cause memory damage when the user accesses a corrupted video file sent by the attacker. Following this, the hacker could exploit any information from the device.