WhatsApp quietly patched a critical vulnerability in its application last month that could allow an attacker to remotely compromise a target device and potentially steal secure chat messages and files stored in it.
The old WhatsApp version caused a buffer overflow of the stack during the parsing of the basic stream metadata of the MP4 file. The vulnerability (CVE-2019-11931) is prone to DoS attacks or remote code execution attacks.
If the attacker wants to exploit this vulnerability remotely, the attacker needs only the target user’s phone number and sends them a maliciously crafted MP4 file via WhatsApp, which can eventually silently install a malicious backdoor or spyware on the infected device. The vulnerability affects consumers and enterprise applications for WhatsApp on all major platforms, including Google Android, Apple iOS and Microsoft Windows. According to a report published by Facebook, the list of affected application versions is as follows
- Android versions before 2.19.274
- iOS versions before 2.19.100
- Enterprise Client versions before 2.25.3
- Windows Phone versions before and including 2.18.368
- Business for Android versions before 2.19.104
- Business for iOS versions before 2.19.100
Currently, all users need to update WhatsApp to the latest version and prohibit automatic download of image, audio and video files from the app settings.