just an MP4 file to puncture WhatsApp

Discovered a new one vulnerability in the code of Whatsapp. It allows an attacker to compromise the integrity of the device in which the application is installed by causing a buffer overflow and then proceeding to execute commands remotely or by signing a denial of service attack. All you need is a file MP4 packaged ad hoc.

Attack on WhatsApp with an MP4 file

A problem classified as "critical" and which affects WhatsApp's way of managing MP4 content. According to the information released at the weekend by GBHackers, the flaw is present in the releases Android (before 2.192.74), in those iOS (prior to 2.19.100), in the Enterprise Client (before 2.25.3), in Business for Android (before 2.19.104), in Business for iOS (prior to 2.19.100) and in the Windows Phone edition ( up to 2.18.368).

Through a attack of this type, an attacker is potentially able to introduce malicious code into the device, steal sensitive information from memory (not just messages, even photos, videos and documents) or activate microphones and cameras to spy on the user.

READ  Elon Musk challenges Facebook and makes fun of WhatsApp

It is not the first time that WhatsApp's defenses are brought to its knees by a dynamic of this kind: last month a similar alarm, with a flaw to be exploited by sending one GIF specially corrupted.

To be on the safe side, the user can keep the application up to date and be wary of opening files or videos (especially those with the MP4 extension) from unknown sources. Facebook stated that it had taken charge of the problem, labeling the vulnerability (CVE-2019-11931) and working hard to remedy it as quickly as possible. At the moment there are no reports of exploits or violations.

Remaining on the subject, at the end of October the team at work on WhatsApp charged an accusation against the Israeli NSO Group for having developed the Pegasus spyware able to exploit another application vulnerability for espionage purposes, putting the tool in the hands of the highest bidder, including governments.

READ  WhatsApp, end-to-end encryption and investigations

Facebook Comments


My name is Michael, Iā€™m professional software developer and blogger, made this website to share my knowledge about everything what you see here šŸ™‚ haha hope you will like that, and do not forget to follow me on my twitter.

You may also like...