WhatsApp Remote Code Execution Triggered by Videos

whatsapp remote code execution bug

The flaw can be trivially exploited.

Facebook has quietly patched a vulnerability in the popular WhatsApp messaging platform, which could be exploited to launch remote-code-execution or denial-of-service attacks on victims.

Attackers can exploit the flaw merely by sending a target user a video — specifically, a specially crafted MP4 file, Facebook has warned. MP4 is a digital multimedia container format usually used to store video and audio; further details around how the MP4 files would need to be crafted were not disclosed.

“The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” according to an advisory issued last week.

The WhatsApp flaw (CVE-2019-11931) is a buffer overflow, a type of flaw where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) that can be overwritten is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables).

That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks — in this case, DoS or RCE.

Specifically impacted are Android versions of WhatsApp prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100. Users should update to the latest version of the app in order to protect themselves.

A WhatsApp spokesperson told Threatpost that there is no evidence of the vulnerability being exploited in the wild thus far. The flaw was identified internally by WhatsApp, the spokesperson told Threatpost.

“WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service,” said the spokesperson. “We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.”

WhatsApp, which is used by 1.5 billion people globally, is a popular messaging platform that touts itself as a secure end-to-end encryption app for communications.

However, WhatsApp has faced previous security issues – the more serious of which occurred in May, when the platform urged users to update as soon as possible after a zero-day vulnerability found in its messaging platform was exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns. Facebook later filed a lawsuit against Israeli company NSO Group, creator of the Pegasus spyware, alleging that it was behind the hacks.

More recently, researchers identified a flaw in WhatsApp on Android devices which could allow attackers to launch privilege-elevation and RCE attacks on victims.

“WhatsApp, previously known as a secure private messaging app, is becoming a popular target for attackers and governments to spy on citizens,” Joseph Carson, chief security scientist at Thycotic told Threatpost via email.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles