WhatsApp bug could have let hackers read your messages by just sending a video

Users who do not download an update for the latest version of the app are still vulnerable to the hack

Anthony Cuthbertson
Monday 18 November 2019 13:06 GMT
Comments
A security vulnerability with WhatsApp allows hackers to take over devices using a malicious gif
A security vulnerability with WhatsApp allows hackers to take over devices using a malicious gif

WhatsApp has acknowledged a security flaw within the app that allowed hackers to access people's messages by sending a malicious video file.

The Facebook-owned messaging app posted a security advisory about the bug, named CVE-2019-11931, which affects earlier versions of the app on both Android and iOS devices.

The advisory described the issue as a "stack-based buffer overflow" that was capable of triggering dangerous code through sending a "specifically crafted MP4 file to a WhatsApp user".

Facebook did not provide specifics about what the video might look like, or if victims needed to open the MP4 file in order for the hack to be executed.

A fix has been issued but users who have not downloaded the update for the latest version of WhatsApp are still vulnerable to the hack.

A spokesperson for the company said:"WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices.

"In this instance, there is no reason to believe that users were impacted."

Despite Facebook claiming that there is no evidence of the security flaw being exploited, it remains unclear whether any hackers attempted to target victims through the bug.

Last month, WhatsApp revealed that a "significant" number of activists and journalists were targeted with spyware reportedly developed by controversial Israeli software firm NSO Group.

Around 1,400 WhatsApp users received a message warning of the campaign and advising to update to the latest version of the app.

"In May we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices," the message stated.

"There's a possibility this phone number was impacted, and we want to make sure you know how to keep your mobile phone secure."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in