The security and integrity of encrypted messaging platforms has been very much in the headlines in recent weeks, and most of these stories have focused on the largest player in the field—WhatsApp. Facebook’s premier messaging platform has patched a number of vulnerabilities, the most notorious of which saw the platform warn users that it had been compromised by the Israeli spyware firm NSO. WhatsApp’s parent Facebook even launched a legal action against NSO for their alleged attacks.
WhatsApp vulnerabilities have included nation-state attacks, targeted hacking and misleading functionality, and just last month there was yet another flaw confirmed, when a security researcher disclosed a bug that allowed an attacker to use a malicious GIF image file to potentially access user content. That flaw involved an attacker pushing a malicious GIF to a victim’s device through any channel. With the GIF on the device, when the victim opens the gallery within WhatsApp to send any image—not necessarily the malicious one—the hack triggers and the device and its contents become potentially vulnerable
Now Facebook has quietly confirmed yet another security vulnerability on the platform, releasing an advisory notice on November 14 to warn that “a stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.” There is little further information, but the warning is a serious one—compromised systems risk denial of service or even remote code execution on the infected device. This could pose the risk of malware being planted on an infected device, a device used to eavesdrop or even a remote takeover.
Facebook says the “potential issue” was discovered internally—it was not disclosed by a security researcher nor was it intercepted in the wild. But in these days of increasing attacks on messaging platforms, such vulnerabilities need to be taken seriously and remedial action needs to be fast and thorough. According to Facebook, the potential issue affects the following versions of WhatsApp:
As ever, all users of WhatsApp should now check to ensure they are running the latest version of the app on all their platforms, and if not they should update at the earliest opportunity. The critical risk with a Whatsapp vulnerability is the ease by which an attacker can be mounted. Using WhatsApp as the delivery channel for an infection makes for a remarkably easy attack vector—you only need a phone number after all.
A WhatsApp spokesperson told me the platform “is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.” via Forbes