According to Natalie Silvanovich, a researcher at Googles Project Zero security team, WhatsApp has closed a leak in its apps for Android and iOS, which could lead to a crash after receiving a call from an attacker.
Silvanovich describes her findings in a statement on the bug tracker of Project Zero. There she writes in an update that WhatsApp released a patch on September 28 for Android and on October 3 for iOS. She states that a malicious caller was able to remotely trigger a WhatsApp crash in a target’s client by using a certain RTP package. According to the researcher, receiving this package leads to heap corruption.
She has made no attempt to turn her discovery into an exploit, she writes on Twitter. There she mentions that the leak has ‘a lot of potentials’. It does not provide information about whether the vulnerability made it possible, for example, to execute code remotely. Project Zero colleague Tavis Ormandy states in his own tweet that it is a serious leak that only requires an attacker to make a call.