Facebook patches WhatsApp remote code execution vulnerability

Facebook has officially patched a rather troubling vulnerability that was present on its WhatsApp platform. The vulnerability, (CVE-2019-11931), allows for remote code execution and denial-of-service attacks when users open basic video files in MP4 format. The flaw, which was found internally by Facebook, is relatively easy to exploit for a skilled hacker as creating malicious MP4 files is  not a huge undertaking. In their own security post on the flaw last week, Facebook had this to say:

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

In a statement to Lindsey O’Donnell of Kaspersky Lab’s Threatpost, a Facebook spokesperson said Facebook is certain that no users have been compromised. The statement reads as follows:

WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service... We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.

This statement rings hollow when considering the long list of privacy issues that Facebook and its various applications have had over the years. WhatsApp, in particular, has become a priority target for governments looking to spy on citizens and also for hackers looking to infect unaware users. Mark Zuckerberg has repeatedly touted the lengths that Facebook goes to for privacy, but the evidence has repeatedly proven this to be false.

When journalists or activists need a secure messaging service, they don’t use WhatsApp, instead opting for Signal (used by many journalists in hostile nations) or Telegram (the go-to application for protestors in Hong Kong). That speaks volumes about Facebook’s negative reputation in the larger community of privacy advocates and cybersecurity professionals.

This most recent WhatsApp vulnerability is merely the tip of the iceberg for WhatsApp’s many problems. Expect the problems to continue if history is anything to learn from.

Featured image: Flickr / Christoph Scholz

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Intel and MediaTek announce 5G modem solutions partnership

A new partnership between Intel and MediaTek to develop 5G modem solutions wants to be in the fast lane when…

5 hours ago

Azure Quick Tip: Troubleshooting your code with test pane

Sometimes, it’s the simple things that can save you a lot of headaches. As this Quick Tip shows, always make…

8 hours ago

Creating bootable ISO files for Windows 10 the easy way

Microsoft has simplified the process of creating bootable ISO files, and we show you the easiest ways to create them…

10 hours ago

Review: Office 365 management solutions CoreLearning and CoreAdoption

CoreLearning and CoreAdoption are powerful solutions to drive end-user adoption of Office 365 applications, services, and features. Here’s our review.

13 hours ago

Windows 7, TrueCrypt and KB4530734 - Configuring Windows Boot Loop

In case you are using Windows 7 with System Disk encrypted by TrueCrypt(Possibly VeraCrypt is affected as well) and boot…

21 hours ago

Moving Azure resources: Pay attention to the details!

Here’s a simple but efficient way to move your Azure resources. This quick tutorial will show you how to do…

1 day ago