Facebook, which owns WhatsApp, noted in a Thursday statement that the flaw was identified as “CVE-2019-11931,” explaining that the vulnerability was a “stack-based buffer overflow [that] could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.”
“The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a [denial of service] or [remote code execution],” the release added, stating that the coding snag affected “Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.”
According to Cybersecurity outlet The Hacker News, the problem was promptly amended in October. It indicated that the vulnerability allowed hackers to “remotely compromise targeted devices and potentially steal secured chat messages and files stored on them,” and that hackers only needed a WhatsApp user’s phone number to begin the process.
The security snafu was reportedly discovered internally.
In a statement to tech site The Next Web, a WhatsApp spokesperson said the company is “constantly working to improve the security” of the messaging platform, stressing that at present, “there is no reason to believe users were impacted.”
Users, however, are urged to update their apps should they still be working with one of the affected versions.
The revelation comes weeks after Facebook filed a lawsuit against Israeli company NSO Group, in which the social media giant alleged that the Israeli company used WhatsApp to target more than 1,400 users with highly sophisticated spyware. The NSO Group has largely disputed the allegations, saying that it will “vigorously” fight the suit.
Facebook is presently demanding that the Israeli company be denied access to its services and systems. It’s also seeking unspecified damages.