New bug could be exploited by hackers to secretly install spyware
The recent controversies surrounding the WhatsApp hacking haven’t yet settled, and the world’s most popular messaging platform could be in the choppy waters once again.
The Hacker News has learned that last month WhatsApp quietly patched yet another critical vulnerability in its app that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them.
The vulnerability — tracked as CVE-2019-11931 — is a stack-based buffer overflow issue that resided in the way previous WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks.
CVE-2019-11931 Detail CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI] CVE-ID: CVE-2019-11931 CWE-ID: CWE-121 – Stack-based Buffer Overflow AWAITING ANALYSIS : This vulnerability is currently awaiting analysis. Description The vulnerability allows a remote attacker to execute arbitrary code on the target system. A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100. Mitigation Install updates from vendor’s website. The vulnerability affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100. |
To remotely exploit the vulnerability, all an attacker needs is the phone number of targeted users and send them a maliciously crafted MP4 file over WhatsApp, which eventually can be programmed to install a malicious backdoor or spyware app on the compromised devices silently.
The vulnerability affects both consumers as well as enterprise apps of WhatsApp for all major platforms, including Google Android, Apple iOS, and Microsoft Windows.
According to an advisory published by Facebook, which owns WhatsApp, the list of affected app versions are as follows:
- Android versions before 2.19.274
- iOS versions before 2.19.100
- Enterprise Client versions before 2.25.3
- Windows Phone versions before and including 2.18.368
- Business for Android versions before 2.19.104
- Business for iOS versions before 2.19.100
The scope, severity, and impact of the newly patched vulnerability appear similar to a recent WhatsApp VoIP call vulnerability that was exploited by the Israeli company NSO Group to install Pegasus spyware on nearly 1400 targeted Android and iOS devices worldwide.
At the time of writing, it’s not clear if the MP4 vulnerability was also exploited as a zero-day in the wild before Facebook learned about and patched it.
The Hacker News has reached out to Facebook and WhatsApp for comment and will update the article as soon as we hear back from them.
Meanwhile, if you consider yourself as one of the potential surveillance targets and have received a random, unexpected MP4 video file over WhatsApp from an unknown number in recent months, you should pay more attention to the upcoming developments of this event.
The WhatsApp MP4 vulnerability came just two weeks after Facebook sued the NSO Group for misusing WhatsApp service to target its users.
However, at least in India, it didn’t go well as intended, and the social media giant itself came under scrutiny from the Government who raised questions about the security of its end-to-end encrypted app rather than going after NSO Group for targeting over 100 of its citizens.
For now, it’s recommended for all users to make sure they are running the latest version of WhatsApp on their device and disable auto-downloads of images, audio and video files from the app settings.
Update — A spokesperson for the Whatsapp confirmed The Hacker News that the newly reported WhatsApp RCE flaw was not exploited in the wild to target its users.
“WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe that users were impacted,” WhatsApp told THN.