Security researchers at Sophos have discovered a startling new WhatsApp vulnerability. The trick can be used to exploit anybody who hasn’t changed a certain default setting and can crack a WhatsApp account wide open.
New WhatsApp vulnerability can give complete control of your WhatsApp account to anybody who knows your phone number
The trick comes via a WhatsApp video or voice call as the vulnerability is found in RTP (Real Time Protocol). RTP is used by many online calling apps. In the name of efficiency, RTP doesn’t check to see if data that has been transmitted has arrived, and packets of data might not arrive in the same order they were sent. This allows the online calling apps using RTP to deliver the speech and video present in the data, and only cut out the speech and video from lost packets rather than lose the whole conversation.
Another key step in the complicated process required to perform an online voice or video call is squeezing all of the data into small binary packets and then unraveling them all again when they’ve arrived. This process, if not done correctly, can lead to data being moved where it shouldn’t be and left unprotected.
The trick that Sophos uncovered exploits these two minor vulnerabilities and enables hackers to take control of any WhatsApp account they can call. If a hacker calls you on WhatsApp who knows the trick, and you answer, they can take control of your account.
There is good news, however. The flaw was reported and there does seem to be a patch available in the latest update.
Unfortunately, as pointed out by the guys at Sophos, there is a slight discrepancy between the date the trick was closed and the date the patch was released. This means there are two things you need to do to protect your WhatsApp account against this trick.
How to protect your WhatsApp account
1. Ensure your apps are updated regularly. If you set your apps to update automatically, they’ll always have the latest security patches that have been built to close off known vulnerabilities.
2. Turn on two-factor authentication by going to Settings, then Account, and opening Two-step verification. Hit Enable and you’re done.
Two-factor authentication means you will need to confirm whenever you log into WhatsApp via a new device using a second login credential of your choosing. As this information isn’t available via the trick Sophos have highlighted, it’ll block the hackers from using the information they can steal via a video or voice call with your account from taking it over. It is highly recommended that you activate two-factor authentication across your other apps and social accounts wherever possible.