WhatsApp users should hit up the Google Play Store or the App Store and make sure they’re running the latest version of the app, as a new update fixes a major security bug that could let hackers slip malicious code onto devices through seemingly innocent .MP4 video files.
Threatpost has a detailed explanation of the bug, but the gist is that hackers can corrupt a device’s memory by manipulating the metadata (information like the title, rights holders, etc.) of an MP4 video file. The attack is only possible when the malicious file is played in WhatsApp, which can then allow the attacker to take control of certain parts of the device and install or execute code remotely.
This threat can be mitigated by not opening messages or files from unknown contacts, but part of the issue is that the files can come from anywhere—even from contacts you know and trust forwarding a video they’re unaware has malicious metadata.
The good news about this attack vector is that WhatsApp has already patched the vulnerability in the latest app update, and it doesn’t appear to have been a big problem for its users. As a spokesperson told Threatpost:
“WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.”
Regardless, you’ll be protected from the bug if you’re running WhatsApp version 2.19.274 or higher on Android, or version 2.19.100 or higher on iOS.
The battle over your online privacy could get a lot messier very soon.