WhatsApp Bug Allows Malware Injection Through MP4 Files
WhatsApp is one of the most popular text messaging apps and services around, despite Facebook taking over the reins.
That was already bad news, but things have gone from bad to worse for WhatsApp users after a new report noted that it’s possible to compromise an iPhone or Android phone just by having someone download a malicious MP4 file via WhatsApp.
The file essentially triggers remote code execution and then a DDoS attack, allowing bad actors to deploy malware. What that malware then does is up to them, but it could theoretically keep tabs on what a user is doing and then feed it back to a third-party.
Facebook has identified that a “stack-based buffer overflow” can be triggered, saying that it only affects specific versions of the apps.
“A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.”
As usual the best way to make sure that you aren’t impacted by this issue is to ensure you’re running the latest version of WhatsApp on all of your devices. If you aren’t, maybe it would be a good idea to be wary of any videos that appear in your chats.