Facebook has disclosed a vulnerability in WhatsApp that allowed an attacker to take complete control over your smartphone by creating a special MP4 file and sending it to you. Because of the way it is coded, playing the file would force the app to write more data to a buffer than it’s allowed, causing a buffer overflow. In turn, that makes it possible for attackers to corrupt the data in your phone’s RAM to steal chat messages or remotely access files stored on the device.
The flaw was quietly patched by Facebook in a recent update, so it’s worth keeping in mind that you shouldn’t open any video file you’ve received until you make sure you’re running the latest version. The issue affects iPhones running WhatsApp versions before 2.19.100, Android versions prior to 2.19.174, and even Windows Phone versions before and including 2.18.368 which isn’t going to be patched for the estimated 10 million people who are still using the platform.
A Facebook spokesperson said in a statement that “WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices.” The company didn’t find any evidence that the flaw has been exploited in the wild, but that doesn’t mean it won’t be now that the information is public.
Recently, WhatsApp sued Israeli firm NSO Group for facilitating a hack on 1,400 users, including journalists, activists, and public figures. The company sells spyware that can infect your phone by way of a simple call, after which all the data on your device is exposed. And that includes data from your Microsoft, Apple, Google, and Facebook accounts.
Facebook isn’t known for being extra careful with user data. But the company seems more concerned with re-branding to fix public perception than with the security of its big messaging and social platforms. After all, the company still hasn’t fixed a flaw that allows someone to take over your conversations and put words in your mouth even a year after public disclosure.
Facebook, which owns WhatsApp, has urged users to ensure they have the latest version of the app running on their device, and to disable automatic downloads of image and video files.