Another WhatsApp Vulnerability Could Allow Installation of Spyware Through MP4 Videos

Sharing videos on WhatsApp is a cool feature. However, due to a bug, this feature could have become a security threat for users. Facebook has recently revealed a WhatsApp vulnerability that could allow installing malware to target devices.

WhatsApp Vulnerability Triggered Through MP4 Videos

Facebook has disclosed a serious WhatsApp vulnerability that exposed users to potential malware attacks.

As disclosed in an advisory, the stack-based buffer overflow vulnerability existed in almost all WhatsApp versions for both the consumers and enterprise apps. To trigger the flaw, an attacker would simply have to send maliciously crafted MP4 videos to the target users.

Describing this vulnerability CVE-2019-11931, Facebook stated,

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.

Exploiting the bug could allow the attacker to execute remote code. It also permitted the attacker to install spyware or any other malware to the victim’s device.

Facebook Released The Patched Version

Fortunately, Facebook have fixed the vulnerability with the release of WhatsApp updates rolled out on November 13, 2019. Therefore, if the users are running the following vulnerable app versions, they must ensure updating their respective devices accordingly.

  • WhatsApp for Android versions prior to 2.19.274
  • WhatsApp for iOS versions prior to 2.19.100
  • Windows Phone versions including and prior to 2.18.368
  • WhatsApp Enterprise Client versions prior to 2.25.3
  • Business for Android versions prior to 2.19.104
  • Business for iOS versions prior to 2.19.100

A Facebook spokesperson confirmed no exploitation of the flaw.

WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe that users were impacted.

In October, Facebook also fixed another bug in WhatsApp that could allow hijacking chat sessions using malicious GIFs.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients