Update WhatsApp now: MP4 video bug exposes your messages

WhatsApp’s pitch: Simple. Secure. Reliable messaging.

Needed marketing addendum: Hole. Update. Now. Evil. MP4s.

Facebook on Thursday posted a security advisory about a seriously risky buffer overflow vulnerability in WhatsApp, CVE-2019-11931, that could be triggered by a nastily crafted MP4 video.

It’s rated as a high-risk vulnerability – 7.8 – on the CVE scale. Understandably so: if left unpatched, it can lead to remote code execution (RCE), which can then enable attackers to access users’ files and messages. The security hole also leaves devices vulnerable to Denial of Service (DoS) attack.

Facebook said that this one affects WhatsApp versions for iOS, Android and Windows phones. The problem isn’t just on the regular WhatsApp; it’s also found on WhatsApp for Business and WhatsApp for Enterprise.

That’s an enormous number of users: With over 1.5 billion monthly active users, WhatsApp is the most popular mobile messenger app worldwide, according to Statista.

Facebook has issued a fix, so if you haven’t already, it’s time to update. Here’s Facebook’s technical explanation about the vulnerability:

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.

A WhatsApp spokesperson told The Next Web that as far as the company can tell, the vulnerability hasn’t yet been exploited in the wild:

WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.

These are the versions of the app that are affected:

• Android versions prior to 2.19.274
• iOS versions prior to 2.19.100
• Enterprise Client versions prior to 2.25.3
• Windows Phone versions before and including 2.18.368
• Business for Android versions prior to 2.19.104
• Business for iOS versions prior to 2.19.100

Links in exploit chains

While it’s good news to hear that the bug hasn’t yet been exploited, it’s no reason not to stomp on it hard and fast. Such flaws can be incorporated into exploit chains that link vulnerabilities: a technique reportedly used by companies that advertise tools that can break even Apple’s iPhone encryption.

In fact, WhatsApp last month sued the spyware maker NSO Group over what’s known as a zero-click vulnerability: one that allowed attackers to silently install spyware just by placing a video call to a target’s phone.

The attack let somebody or somebodies call vulnerable devices to install spyware that could listen in on calls, read messages and switch on the camera.

WhatsApp users were getting hacked over that zero-click hole in an attack that WhatsApp says was enabled by NSO Group’s off-the-shelf spyware tools – specifically, the notorious Pegasus.

Update your phone!

You’re OK if you have a newer build of WhatsApp installed. Do run a check to see if any updates might be available for your device, though.

And please do that check regularly: if you’re using WhatsApp, you’re expecting secure messaging. To get that secure messaging, you have to harden your defenses against attackers who want to punch a hole in your encryption wall.