WhatsApp MP4 Bug Lets Hackers Control Your Phone

At this moment and for the foreseeable future, it's a good idea to avoid opening MP4 files in WhatsApp. There's a bug in WhatsApp for both iOS and Android where a malicious person can send a specially-crafted MP4 file to ultimately control a users' phone. This bug was patched, but not all people in the world have said patch right this minute.

Advertisement

The vulnerability in the MP4 attack worked for several different versions of the WhatsApp app, including all of the following list. And yes, that is a Windows Phone version. People still have Windows Phone devices out there in the wild, and there is still a WhatsApp client that works for Windows Phone! Of course that's not something the developers of WhatsApp would like, as they've almost certainly stopped updating said system several years ago, but still...

• Android versions prior to 2.19.274

• iOS versions prior to 2.19.100

• Enterprise Client versions prior to 2.25.3

• Business for Android versions prior to 2.19.104

• Business for iOS versions prior to 2.19.100

• Windows Phone versions before and including 2.18.368

Advertisement

If you have an older version of a WhatsApp app, it's high time you updated said app. This vulnerability, tracked with the code CVE-2019-11931, was not used in a widespread manner – as far as we know.

"WhatsApp is constantly working to improve the security of our service," said a WhatsApp representative in a statement. "We make public, reports on potential issues we have fixed consistently with industry best practices. In this instance, there is no reason to believe users were impacted."

Per the Facebook notice released in brief, "The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE." This system's technical impact could be DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); or DoS: Resource Consumption (Memory). So that's bad news – make sure you take caution and never, ever download an MP4 file from WhatsApp – at least, not until you've updated your app.

Recommended

Advertisement