Therapist
Lister
Android And iOS Users At Risk From Malicious Video Files
The security and integrity of encrypted messaging platforms has been very much in the headlines in recent weeks, and most of these stories have focused on the largest player in the field—WhatsApp. Facebook’s premier messaging platform has patched a number of vulnerabilities, the most notorious of which saw the platform warn users that it had been compromised by the Israeli spyware firm NSO. WhatsApp’s parent Facebook even launched a legal action against NSO for their alleged attacks.
WhatsApp vulnerabilities have included nation-state attacks, targeted hacking and misleading functionality, and just last month there was yet another flaw confirmed, when a security researcher disclosed a bug that allowed an attacker to use a malicious GIF image file to potentially access user content. That flaw involved an attacker pushing a malicious GIF to a victim’s device through any channel. With the GIF on the device, when the victim opens the gallery within WhatsApp to send any image—not necessarily the malicious one—the hack triggers and the device and its contents become potentially vulnerable
Now Facebook has quietly confirmed yet another security vulnerability on the platform, releasing an advisory notice on November 14 to warn that “a stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.” There is little further information, but the warning is a serious one—compromised systems risk denial of service or even remote code execution on the infected device. This could pose the risk of malware being planted on an infected device, a device used to eavesdrop or even a remote takeover.
Facebook has not said whether the vulnerability was reported by a security researcher or intercepted in the wild, but in these days of increasing threat actor attacks on messaging platforms, such issues need to be taken seriously and remedial action needs to be fast and thorough. According to Facebook, the issue affects the following versions of WhatsApp:
Facebook has been approached for any further comments on this story.
The security and integrity of encrypted messaging platforms has been very much in the headlines in recent weeks, and most of these stories have focused on the largest player in the field—WhatsApp. Facebook’s premier messaging platform has patched a number of vulnerabilities, the most notorious of which saw the platform warn users that it had been compromised by the Israeli spyware firm NSO. WhatsApp’s parent Facebook even launched a legal action against NSO for their alleged attacks.
WhatsApp vulnerabilities have included nation-state attacks, targeted hacking and misleading functionality, and just last month there was yet another flaw confirmed, when a security researcher disclosed a bug that allowed an attacker to use a malicious GIF image file to potentially access user content. That flaw involved an attacker pushing a malicious GIF to a victim’s device through any channel. With the GIF on the device, when the victim opens the gallery within WhatsApp to send any image—not necessarily the malicious one—the hack triggers and the device and its contents become potentially vulnerable
Now Facebook has quietly confirmed yet another security vulnerability on the platform, releasing an advisory notice on November 14 to warn that “a stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.” There is little further information, but the warning is a serious one—compromised systems risk denial of service or even remote code execution on the infected device. This could pose the risk of malware being planted on an infected device, a device used to eavesdrop or even a remote takeover.
Facebook has not said whether the vulnerability was reported by a security researcher or intercepted in the wild, but in these days of increasing threat actor attacks on messaging platforms, such issues need to be taken seriously and remedial action needs to be fast and thorough. According to Facebook, the issue affects the following versions of WhatsApp:
- Android versions prior to 2.19.274
- iOS versions prior to 2.19.100
- Enterprise Client versions prior to 2.25.3
- Windows Phone versions before and including 2.18.368
- Business for Android versions prior to 2.19.104
- Business for iOS versions prior to 2.19.100.
Facebook has been approached for any further comments on this story.
