WhatsApp fixes vulnerability that allowed hackers to exploit phones using MP4 files

“An infected MP4 file shared on WhatsApp could allow attackers to remotely access messages and files stored in the app”

WhatsApp has fixed a security issue that left many vulnerable to hackers. The bug has been identified with the code CVE-2019-11931 and is said to have made it possible for attackers to send MP4 files with malicious code to a victim’s device. The code can be executed remotely and allows hackers to access messages as well as files stored in the app without any intervention. The WhatsApp bug is believed to be just an entry point for an exploit chain that allows hackers to penetrate digital protections.

The bug has affected devices running WhatsApp Android versions prior to 2.19.374, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS prior to 2.19.100. “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in Parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” said Facebook in its post.

Talking to The Next Web, a WhatsApp spokesperson said that the company “is constantly working to improve the security of its service. We make public, reports on potential issues we have fixed consistently with industry best practices. In this instance, there is no reason to believe users were impacted.”

The update comes just weeks after WhatsApp accused Israeli spyware Pegasus of spying on at least two dozen academics, lawyers, Dalit activists, and journalists in India. The messaging platform informed those whose phones were under surveillance for a two-week period until May 2019. “We believe this attack targeted at least 100 members of civil society which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward,” the company said then.