Facebook patches WhatsApp remote code execution vulnerability

Facebook has officially patched a rather troubling vulnerability that was present on its WhatsApp platform. The vulnerability, (CVE-2019-11931), allows for remote code execution and denial-of-service attacks when users open basic video files in MP4 format. The flaw, which was found internally by Facebook, is relatively easy to exploit for a skilled hacker as creating malicious MP4 files is  not a huge undertaking. In their own security post on the flaw last week, Facebook had this to say:

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

In a statement to Lindsey O’Donnell of Kaspersky Lab’s Threatpost, a Facebook spokesperson said Facebook is certain that no users have been compromised. The statement reads as follows:

WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service... We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.

This statement rings hollow when considering the long list of privacy issues that Facebook and its various applications have had over the years. WhatsApp, in particular, has become a priority target for governments looking to spy on citizens and also for hackers looking to infect unaware users. Mark Zuckerberg has repeatedly touted the lengths that Facebook goes to for privacy, but the evidence has repeatedly proven this to be false.

When journalists or activists need a secure messaging service, they don’t use WhatsApp, instead opting for Signal (used by many journalists in hostile nations) or Telegram (the go-to application for protestors in Hong Kong). That speaks volumes about Facebook’s negative reputation in the larger community of privacy advocates and cybersecurity professionals.

This most recent WhatsApp vulnerability is merely the tip of the iceberg for WhatsApp’s many problems. Expect the problems to continue if history is anything to learn from.

Featured image: Flickr / Christoph Scholz

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Hardware RAID vs. software RAID: Pros and cons for each

RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…

3 days ago

After the plague: What IT will look like in a post-COVID-19 world

COVID-19 has changed everything, but once it disappears, we will not go back to how…

3 days ago

Solved: Outlook defaults to Microsoft 365 version with Exchange server

An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…

3 days ago

How chatbots are changing the way teams communicate internally

Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…

4 days ago

Hakbit ransomware campaign targeting specific European countries

The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…

4 days ago

Credential stuffing: Everything you need to know to avoid being a victim

Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…

4 days ago