WhatsApp is making the headlines once again, but for the wrong reasons. It all began after Facebook confirmed the existence of a critical vulnerability in WhatsApp that could trigger remote code execution attacks. This means an attacker on the Internet could potentially have launched malicious code on a device running WhatsApp without the user’s knowledge.
Facebook mentioned in a statement that CVE-2019-11931, a stack-based buffer overflow vulnerability found in WhatsApp, has the potential to get exploited by remote attackers. The description also details that the attack could be triggered by employing a specially-crafted video file carrying an extension of ‘.mp4’. The core problem existed in how certain parts of this MP4 video file were sifted through to extract data. An attacker could have effected Denial-of-Service (DoS) or Remote Code Execution (RCE) attacks by exploiting this vulnerability.
WhatsApp for Android with a version number lower than 2.19.274, for iOS with a version number lower than 2.19.100, for enterprise clients with a version number lower than 2.25.3, for Business for Android with a version number lower than 2.19.104, for Business for iOS with a version number lower than 2.19.100 and for Windows Phone with a version number lower than and including 2.18.368 are prone to such attacks. However, thus far, there is no report of this WhatsApp vulnerability being exploited in the wild.
In September this year another WhatsApp vulnerability, namely CVE-2019-11932, was discovered. The root cause for this vulnerability was different but the after-effects of exploitation were similar to the above vulnerability. To exploit it, adversaries needed a specially-crafted GIF image file instead of an MP4 file. In order to exploit the vulnerability, the attacker could send a specially-crafted ‘. gif’ file to the victim via WhatsApp. If the attacker exists in the victims’ contact list, the malicious GIF file would get downloaded automatically without any interaction and saved in the media gallery. When the victim opens the WhatsApp gallery to share an image file with any of their WhatsApp friends, the bug would get triggered, potentially allowing a Remote Code Execution (RCE) attack.
To be safe, every WhatsApp users should:
- Update their apps as and when the latest versions are available from the respective App Store (Play Store in the case of Android). We also recommend you to turn on the auto-activate feature to ensure that all your device apps get updated as soon as the latest versions are rolled out.
- Disable the auto-download feature for any media in WhatsApp, even when you receive it from your WhatsApp friends, to reduce the risk of silently downloading specially-crafted media. The auto-download feature of WhatsApp can be disabled by:
- Navigating to WhatsApp’s hamburger menu, which appears on the top-right corner of the app
- Navigating to “Settings”
- Clicking on “Data and storage usage”
- Disabling all the checkboxes that appear under all options for Media auto-download, i.e. “When Using mobile data” and “When connected to Wi-Fi”, etc.”