Facebook has officially patched a rather troubling vulnerability that was present on its WhatsApp platform. The vulnerability, (CVE-2019-11931), allows for remote code execution and denial-of-service attacks when users open basic video files in MP4 format. The flaw, which was found internally by Facebook, is relatively easy to exploit for a skilled hacker as creating malicious MP4 files is not a huge undertaking. In their own security post on the flaw last week, Facebook had this to say:
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.
In a statement to Lindsey O’Donnell of Kaspersky Lab’s Threatpost, a Facebook spokesperson said Facebook is certain that no users have been compromised. The statement reads as follows:
WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service... We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.
This statement rings hollow when considering the long list of privacy issues that Facebook and its various applications have had over the years. WhatsApp, in particular, has become a priority target for governments looking to spy on citizens and also for hackers looking to infect unaware users. Mark Zuckerberg has repeatedly touted the lengths that Facebook goes to for privacy, but the evidence has repeatedly proven this to be false.
When journalists or activists need a secure messaging service, they don’t use WhatsApp, instead opting for Signal (used by many journalists in hostile nations) or Telegram (the go-to application for protestors in Hong Kong). That speaks volumes about Facebook’s negative reputation in the larger community of privacy advocates and cybersecurity professionals.
This most recent WhatsApp vulnerability is merely the tip of the iceberg for WhatsApp’s many problems. Expect the problems to continue if history is anything to learn from.
Featured image: Flickr / Christoph Scholz