Attackers using WhatsApp MP4 video files vulnerability can remotely execute code

The buffer overflow flow bug has been disclosed by Facebook.

Apple, Google and WhatsApp fight 'ghost' user proposal to infiltrate group chats Tech giants speak out against GCHQ's idea for silently adding a spy to an encrypted messaging chat.

Facebook has disclosed the existence of a severe vulnerability leading to remote code execution attacks in WhatsApp messaging software.

Last week, the technology giant said in a security advisory that the WhatsApp bug, tracked as CVE-2019-11931, is a stack-based buffer overflow issue which can be triggered by attackers sending crafted .MP4 video files to victims. 

While there are not many technical details available, Facebook said that the problem was caused by how the encrypted messaging app parses .MP4 elementary stream metadata. 

If exploited, the vulnerability can lead to denial-of-service (DoS) or remote code execution (RCE) attacks. 

See also: WhatsApp vulnerabilities 'put words in your mouth,' lets hackers take over conversations

WhatsApp versions prior to 2.19.274 on Android and iOS versions prior to 2.19.100 are affected. Business users of WhatsApp prior to 2.19.104 on Android and 2.19.100 on iOS are also susceptible to attack.

Enterprise Client versions prior to 2.25.3 and Windows Phone versions of WhatsApp including 2.18.368 and below are also impacted.

It is recommended that users update their software builds to mitigate the risk of exploit. However, there does not appear to be any reports of the vulnerability being actively exploited in the wild.

"WhatsApp is constantly working to improve the security of our service," a Facebook spokesperson said. "We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe that users were impacted."

CNET: Android users beware: 146 bugs found in preinstalled apps

WhatsApp has previously been central to a controversy relating to the Israeli company NSO Group, the makers of the Pegasus "lawful intercept" tool. In May, the WhatsApp team was made aware of a vulnerability used to deploy the spyware on the handsets of WhatsApp users. 

TechRepublic: How can you protect yourself from hackers? An IBM social engineer offers advice

In October, a cybersecurity researcher uncovered a double-free vulnerability, CVE-2019-11932, which could be used in attacks for compromising chat sessions, files, and messages. 

The security flaw could be triggered through a malicious application already installed on a target device or through the sending of a crafted, malicious .GIF file. If exploited, the bug could result in the remote execution of code and was patched in WhatsApp version 2.19.244. 

Another set of interesting vulnerabilities in the messaging app was disclosed by Check Point a month prior. The set of bugs "could allow threat actors to intercept and manipulate messages sent in both private and group conversations," the researchers said, and could be weaponized to exploit group "quote" features, replies, and private messages. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0