Facebook owned WhatsApp has been in the news from some time now for being affected by a serious privacy concern that stems from the use of Israeli spyware called Pegasus. Now, developers of the online chat app have published a new vulnerability in the app that suggests another way an attacker might be able to access your files and data. As per a recently published Facebook security advisory, a stack-based memory buffer overflow can be triggered by sending a specially crafted MP4 file to a WhatsApp user. “The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” states the advisory.
Facebook simply says that the flaw could result in Denial of Service (DoS) or Remote Code Execution (RCE), but this is quite concerning. While DoS might hamper you from using WhatsApp on your phone, RCE is not something to be taken lightly. Using Remote Code Execution, an attacker can run code on your device, which can result from downloading and sideloading malware to hijacking it and accessing your data. The flaw affects Android versions of WhatsApp before the 2.19.274 update, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.
The revelation of this new exploit comes soon after the Pegasus fiasco where the spyware was allegedly used to spy on numerous entities. As per a previous report, WhatsApp alerted two dozen academics, lawyers, Dalit activists and journalists across India that their devices were under surveillance for a two-week period till May 2019. The time period coincides with the 2019 General Elections in India. You can read more about this here.