WhatsApp has fixed a critical security flaw in the Android and iOS version of its app, which could give hackers access to messages and files stored on a vulnerable device using a specially-crafted MP4 file. WhatsApp confirmed that along with the consumer versions of its app, the issue affects the Enterprise client versions of its app, as well as Business for Android and Business for iOS versions of WhatsApp.
While reports suggest that the vulnerability hasn’t been exploited so far, as there are no signs of attacks happening in the wild. That said, WhatsApp warns that a successful attack would have led to a denial of service or remote code execution.
“A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100,” CVE-2019-11931 reads.
Readers are advised to update to the latest version of WhatsApp to keep themselves protected against this vulnerability.
Facebook-owned WhatsApp is currently the most popular messaging app on both iOS and Android. According to sources, the service currently has over 1.5 billion active users on all supported platforms.
The news comes shortly after WhatsApp confirmed that spyware developed by NSO Group was used to target 1400 selected users globally and in India, which included human rights activists and journalists. That said, there’s no indication that the MP4 flaw was used in similar attacks. Besides, the Indian government clearly denied that it purchased or used the spyware in question to target its citizens.