A new critical vulnerability discovered in the WhatsApp application can be exploited by hackers to for surveillance purposes and as well steal users data. This vulnerability is on the consumer and enterprise versions of the messaging platform on Android, Windows Phone and iOS.
Tracked as CVE-2019-11931, Facebook explains in an advisory that the vulnerability is as a result of a stack-based buffer overflow that can be triggered by sending a specially crafted MP4 file to a WhatsApp user.
An attacker could exploit the bug to install malicious programs onto the victims's device by sending an MP4 file specially made to trigger a denial of service (DoS) or execute code the moment its opened.
"The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE," the social giant said.
Affected WhatsApp version includes Android versions prior to 2.19.274, iOS version version prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android version prior to 2.19.204, and Business for iOS versions prior to 2.19.100.
WhatsApp has released an update that addresses the issue. Though no reports of attacks using the exploits have been reported, users are urged to update their WhatsApp to avoid being targeted. A proof of concept code can be seen in this published GitHub post.
Last month, Facebook dragged Israeli software company NSO Group to court for allegedly creating a software that exploited its video calling system to snoop on select users that includes human right activists, journalist, judges and more.