This WhatsApp Flaw Let Hackers Flood Your Device With Malware Via Video Files

Anyone who uses WhatsApp—and many people do, with the developers claiming 1.5 billion monthly active users—should make sure they have the latest version installed. Otherwise, they could be susceptible to a critical vulnerability that could allow hackers to infiltrate their text messaging conversations, pictures, and other private information.

The vulnerability is listed as CVE-2019-11931. In short, a hacker could remotely compromise a device through WhatsApp by sending over a video file injected with malicious code. All the hacker would need is a phone number of a targeted user.

"A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS [denial of service] or RCE [remote code execution]," the CVE tracker reads.

The flaw affects Android versions of WhatsApp prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

Fortunately, WhatsApp patched the vulnerability. The developer also claims "there is no reason to believe that users were impacted" by the flaw, according to a statement provided to The Hacker News. That might be true, but with WhatsApp being as popular as it is, there is the potential for something like this to spread quickly. It could also linger, if users do not update to the latest release.

The disclosure of this vulnerability comes a couple of weeks after Facebook filed a lawsuit against Israeli spyware firm NSO Group over its Pegasus software, which hackers used to spread malware onto devices running WhatsApp. Human rights attorneys were one of the main targets of the malware.