WhatsApp’s MP4 security vulnerability: What it is and should you be worried?

WhatsApp last week fixed a new security vulnerability that could have allowed hackers to gain access to users' sensitive data using common MP4 video files. The new vulnerability comes days after WhatsApp reported spyware attack which led to snooping on 1,400 individuals around the world. Here's everything you need to know about the latest WhatsApp bug.

What it is

Facebook revealed that hackers used 'specially crafted MP4 file' to trigger the remote code execution (RCE) and denial of service (DoS) cyber attack. The new bug exploited a familiar "stack-based buffer overflow" which was used by the Pegasus spyware earlier this year.

Here's what Facebook described the vulnerability as: "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE."

CERT-In, India's nodal agency for handling cyber-security related threats, also had similar findings about the vulnerability.

"A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a special crafted MP4 file to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker. The exploitation doesn't require any form of authentication from the victim and executes on downloading of malicious crafted MP4 file on the vicitims system," said the agency.

ALSO READ: WhatsApp vulnerabilities that put users' data at risk

Who was affected? Should you be worried?

According to Facebook, the security vulnerability was found on Android versions older than 2.19.274. It was also discovered on iOS version older than 2.19.100. Business for Android versions prior to 2.19.104; Business for iOS versions prior to 2.19.100; and Windows Phone versions before and including 2.18.368 were also impacted.

While CERT-In asked users to update their WhatsApp app, the instant messaging company said no users were affected by the latest vulnerability.

"WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe users were impacted," said WhatsApp spokesperson in a statement.