Close on the heels of the ‘Pegasus’ spyware, the Internet was again abuzz with yet another Whatsapp vulnerability on Monday, 18th November 2019. This time:
- Hackers send a specially crafted .mp4 file to a Whatsapp user which could trigger a stack based buffer overflow.
- This could enable the hacker to launch a ‘Denial of service attack’(DOS) or ‘Remote code execution’(RCE) thereby gaining complete control of the mobile devices
- If you are affected by the vulnerability, all sensitive and non-sensitive files on your device can be stolen and your device might be used for surveillance purposes
- It affects both Android and iOS devices
- This vulnerability is CVE-2019-11931
- It has hence been patched
- It is a possibility that in addition to the app’s vulnerability, the vulnerability within the mobile OS could also trigger this attack
- It affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.
What can be done:
- Turn ‘off’ auto-download on Whatsapp
- Do not download .mp4 files
- Update your software regularly
All about Pegasus!