From the story on The Register:
A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on.
The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a handheld, and potentially further compromises the device. Call logs can be altered, too, to hide the method of infection.
To pull this off this intrusion, the attacker has to carefully manipulate packets of data sent during the process of starting a voice call with a victim; when these packets are received by the target's smartphone, an internal buffer within WhatsApp is forced to overflow, overwriting other parts of the app's memory and leading to the snoop commandeering the chat application.
Engineers at Facebook scrambled over the weekend to patch the hole, designated CVE-2019-3568, and freshly secured versions of WhatsApp were pushed out to users on Monday. If your phone offers to update WhatsApp for you, do it, or check for new versions manually. The vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of the app, which is used by 1.5 billion people globally.
From the Facebook advisory on the issue:
- Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
- Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
It should be noted that the 'remote code' doesn't seem to be OS-specific and given the architectural differences between iOS, Android and Windows Phone, the privacy damage is 'limited' to just the things that Whatsapp's own code can access. Still, with 'microphone and camera, accesses photos, contacts' accessible, that's quite a large privacy invasion for most of us!
Now to those version numbers. We had a new version of Whatsapp pushed to the Microsoft Store in the last few days but it was v2.18.346. Begging the question of whether this is the fixed version and Facebook got the version number wrong in its advisory, or - more likely - the fixed version of Whatsapp is hot off the press and hasn't been approved in the Microsoft Store yet. I'm inclined to go with the latter.
Even if it takes an extra day or so to appear in the Windows Phone Store or (Windows 10 Mobile 'Microsoft Store') then I wouldn't worry too much. The chances of one of your personal Whatsapp contacts being infected are quite low. If you're really paranoid then uninstall Whatsapp for a few days, until I say it's safe to head online again (I'll update this story when I notice the update available).
[Update: Version 2.18.350 is now in the Store, so get updating!]