A hot potato: As Facebook is working to unify the backend of social and messaging platforms it owns, a new flaw shows the company still has a lot of work left to do on the security front. After the Facebook app was hit by a bug that opens the camera in the background, the company quietly fixed another one present in WhatsApp that could prove even more dangerous.
Facebook has disclosed a vulnerability in WhatsApp that allowed an attacker to take complete control over your smartphone by creating a special MP4 file and sending it to you. Because of the way it is coded, playing the file would force the app to write more data to a buffer than it’s allowed, causing a buffer overflow. In turn, that makes it possible for attackers to corrupt the data in your phone’s RAM to steal chat messages or remotely access files stored on the device.
The flaw was quietly patched by Facebook in a recent update, so it’s worth keeping in mind that you shouldn’t open any video file you’ve received until you make sure you’re running the latest version. The issue affects iPhones running WhatsApp versions before 2.19.100, Android versions prior to 2.19.174, and even Windows Phone versions before and including 2.18.368 — which isn’t going to be patched for the estimated 10 million people who are still using the platform.
A Facebook spokesperson said in a statement that “WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices.” The company didn’t find any evidence that the flaw has been exploited in the wild, but that doesn’t mean it won’t be now that the information is public.
Recently, WhatsApp sued Israeli firm NSO Group for facilitating a hack on 1,400 users, including journalists, activists, and public figures. The company sells spyware that can infect your phone by way of a simple call, after which all the data on your device is exposed. And that includes data from your Microsoft, Apple, Google, and Facebook accounts.
Facebook isn’t known for being extra careful with user data. But the company seems more concerned with re-branding to fix public perception than with the security of its big messaging and social platforms. After all, the company still hasn’t fixed a flaw that allows someone to take over your conversations and put words in your mouth even a year after public disclosure.
Facebook is rushing to make Facebook Messenger, WhatsApp and Instagram work together and use the same underlying infrastructure, which raises the question of whether the company is doing enough to protect the privacy and security of its users. The three platforms each have well over a billion active users, and the company’s plan to enable digital payments will make them even more attractive to hackers.