Facebook patches WhatsApp remote code execution vulnerability

Facebook has officially patched a rather troubling vulnerability that was present on its WhatsApp platform. The vulnerability, (CVE-2019-11931), allows for remote code execution and denial-of-service attacks when users open basic video files in MP4 format. The flaw, which was found internally by Facebook, is relatively easy to exploit for a skilled hacker as creating malicious MP4 files is  not a huge undertaking. In their own security post on the flaw last week, Facebook had this to say:

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

In a statement to Lindsey O’Donnell of Kaspersky Lab’s Threatpost, a Facebook spokesperson said Facebook is certain that no users have been compromised. The statement reads as follows:

WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service... We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.

This statement rings hollow when considering the long list of privacy issues that Facebook and its various applications have had over the years. WhatsApp, in particular, has become a priority target for governments looking to spy on citizens and also for hackers looking to infect unaware users. Mark Zuckerberg has repeatedly touted the lengths that Facebook goes to for privacy, but the evidence has repeatedly proven this to be false.

When journalists or activists need a secure messaging service, they don’t use WhatsApp, instead opting for Signal (used by many journalists in hostile nations) or Telegram (the go-to application for protestors in Hong Kong). That speaks volumes about Facebook’s negative reputation in the larger community of privacy advocates and cybersecurity professionals.

This most recent WhatsApp vulnerability is merely the tip of the iceberg for WhatsApp’s many problems. Expect the problems to continue if history is anything to learn from.

Featured image: Flickr / Christoph Scholz

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Can ‘silent meetings’ solve your IT planning woes?

Companies are adopting the concept of silent meetings as a way to make business meetings more productive. Does this work?

1 hour ago

CES 2020: Latest innovations in laptops and smartphones

Befitting the world’s largest consumer electronics show, a slew of innovative tech products and services were showcased at CES 2020.…

18 hours ago

WordPress vulnerability puts 300,000 at risk for attack

A WordPress vulnerability that could affect 300,000 users has been identified and patched. By if admins don’t update, they remain…

22 hours ago

PowerShell jobs — because you have better things to do than wait

If you run PowerShell commands that take a while to complete, consider using PowerShell jobs, which will allow the command…

1 day ago

Validating virtual networks rules in a Storage Account using PowerShell

Here’s a TechGenix Quick Tip on how to use PowerShell to retrieve a list of virtual network rules in a…

2 days ago

Dell launches selection of new PCs, displays, and software

A line of new Dell PCs, with innovative tech capabilities like AI and 5G, are aimed at both personal and…

2 days ago