WhatsApp is the most popular messaging app in the market, and it had a severe flaw.
Identified as CVE-2019-11931, the bug allowed hackers to send specially crafted MP4 files to victims, which then allowed them to execute malicious code on the victim’s device without any intervention.
Making things worse, the bug could also be used for nefarious purposes, like creating a gateway where hackers can access information on users' phones, or leverage it as an entry point for more sophisticated exploit chain.
In an advisory posted on its site, Facebook said:
Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100."
Fortunately, WhatsApp has fixed the flaw.
"WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices," said a spokesperson of the company. "In this instance, there is no reason to believe that users were impacted."
Despite Facebook claiming that there is no evidence of the security flaw being exploited, it remains unclear whether any hackers have really attempted to target victims through this bug.
Facebook also did not say anything about what made it discover this bug. But what is certain is that, the bug was found after a series announcements regarding different successful hacks of the system, with the most prominent was by Pegasus from NSO Group, an Israeli cyber surveillance company.
At that time, WhatsApp revealed that a "significant" number of activists and journalists were targeted with spyware reportedly developed by NSO throughout April and May.
Facebook and WhatsApp jointly filed a complaint in a U.S. federal court against the company following the detection of "a new kind of cyberattack involving a vulnerability in the video-calling feature," according to Will Cathcart, head of WhatsApp.
"A user would receive what appeared to be a video call, but this was not a normal call," Cathcart said. "After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the phone."
At that time, around 1,400 WhatsApp users that were affected received a message warning of the campaign and advising to update to the latest version of the app, saying that.