Popular messaging application WhatsApp struggled with another vulnerability which claims to install spyware into users’ devices. Numerous news sites say the bug bears similarities to the Pegasus spyware, a bug that previously affected the company. The security vulnerability reportedly anchored itself through an MP4 video file circulated via the messaging app.
According to India Today, the attacker behind the incident utilized a video file in MP4 format to target app users. Viewing and downloading the file results in snooping attacks on both Android and iOS-powered devices.
In the same way, accessing the MP4 file results in remote code execution and denial of service attack says NDTV. Once the RCE and the DoS cyber attacks permeate the users’ devices, these can mine sensitive files and information. These vulnerabilities can also be used by attackers and hacking groups for surveillance purposes without physical access and verification.
The bug has been named and identified as CVE-2019-11931. Following the identification of the incident, Facebook issued a short statement regarding the issue. It said, “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.”
The Facebook-issued statement and the vulnerability are both reminiscent of the recent Pegasus attack which plagued the messaging app.
Affected users include those with Android versions before 2.19.274. Meanwhile, possibly compromised iOS users include those who have versions before 2.19.100. Individuals bearing Enterprise Client versions older than 2.25.3 and Business for Android versions 2.19.104 are also left vulnerable.
Those with Windows Phone versions of 2.18.368 and older are also included in the vulnerability list, notes Facebook.
Although details of the incident had been revealed to the public, Facebook claims that it discovered the bug internally. However, Forbes notes that this confirmation had been a quiet one, with little to no information.
Following the vulnerability, Forbes states users must update their applications or do so at the earliest time possible. During these critical times, researchers say individuals must also remain vigilant.
In line with this, a spokesperson for the Facebook-owned company said, “there is no reason to believe users were impacted.” The WhatsApp representative told Forbes “we [are] constantly working to improve the security of our service.” They also claimed to “make public reports on potential issues we have fixed consistent with industry best practices.”
As of writing, the messaging application shares it had already addressed the issue. Individuals affected by the vulnerability have also yet to resurface.