Many users believe WhatsApp is one of the most secure messaging service on the planet, but recent reports seem to suggest otherwise. After reports of WhatsApp being used to spy on users in India, Facebook (WhatsApp’s parent company) has now disclosed that an exploit allowing remote code execution has been patched. Previously, hackers could exploit this loophole, using an MP4 video file, to execute the attack and gain access to your personal data.
Facebook has revealed the vulnerability (which is tagged as CVE-2019-11931) in a recent security advisory report. It allowed hackers to use specially-crafted MP4 video files (which look seemingly standard) to remotely execute malicious code on your devices without your knowledge. Not a whole lot of details have been doled out here but the issue was caused by how WhatsApp parses MP4 videos inside your conversations.
Facebook elaborates on the vulnerability saying, “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS [denial of service] or RCE [remote code execution].”
This vulnerability exists in WhatsApp Android versions prior to 2.19.274 and iOS versions prior to 2.19.100. Windows Phone versions before and including 2.18.368 and WhatsApp Business versions prior to 2.19.104 on Android and prior to 2.19.100 on iOS are affected.
“WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe that users were impacted,” confirms a Facebook spokesperson.
Facebook suggests updating WhatsApp to the newest software build to avoid the risk of hackers exploiting your personal data. There are no reports of the exploit being actively used at the moment. This is the second exploit that WhatsApp has disclosed in the past month. There’s no way we forget the use of NSO’s Pegasus spyware for keeping tabs on Indian journalists and human rights activists via WhatsApp.