Thu. Dec 12th, 2019

WhatsApp vulnerabilitiy let hackers may secretly install spyware on your device

1 min read

WhatsApp quietly patched a critical vulnerability in its application last month that could allow an attacker to remotely compromise a target device and potentially steal secure chat messages and files stored in it.

The old WhatsApp version caused a buffer overflow of the stack during the parsing of the basic stream metadata of the MP4 file. The vulnerability (CVE-2019-11931) is prone to DoS attacks or remote code execution attacks.

WhatsApp fingerprint lock
Image: WhatsApp

If the attacker wants to exploit this vulnerability remotely, the attacker needs only the target user’s phone number and sends them a maliciously crafted MP4 file via WhatsApp, which can eventually silently install a malicious backdoor or spyware on the infected device. The vulnerability affects consumers and enterprise applications for WhatsApp on all major platforms, including Google Android, Apple iOS and Microsoft Windows. According to a report published by Facebook, the list of affected application versions is as follows

  • Android versions before 2.19.274
  • iOS versions before 2.19.100
  • Enterprise Client versions before 2.25.3
  • Windows Phone versions before and including 2.18.368
  • Business for Android versions before 2.19.104
  • Business for iOS versions before 2.19.100

Currently, all users need to update WhatsApp to the latest version and prohibit automatic download of image, audio and video files from the app settings.

Via: thehackernews