Facebook has disclosed the existence of a vulnerability leading to remote code execution attacks in WhatsApp messaging software.
According to a ZDnet report, the company said in a security advisory that the WhatsApp bug, tracked as CVE-2019-11931, is a stack-based buffer overflow issue which can be triggered by attackers sending crafted .MP4 video files to victims. In addition, Facebook said that the problem was caused by how the encrypted messaging app parses .MP4 elementary stream metadata that if exploited, the vulnerability can lead to denial-of-service (DoS) or remote code execution (RCE) attacks. There are not many technical details available, notes the report.
"WhatsApp versions prior to 2.19.274 on Android and iOS versions prior to 2.19.100 are affected. Business users of WhatsApp prior to 2.19.104 on Android and 2.19.100 on iOS are also susceptible to attack. Enterprise Client versions prior to 2.25.3 and Windows Phone versions of WhatsApp including 2.18.368 and below are also impacted," notes the report.
A Facebook spokesperson told ZDnet, "WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe that users were impacted."
Please visit ZDnet for the full report.