The vulnerability, identified as CVE-2019-11931, affected both Android and iOs systems but it is unclear if any users were impacted. The company has rolled out a security update.
“WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe users were impacted,” WhatsApp said in a statement on Sunday.
India is WhatsApp’s biggest market with 400 million users. The development comes just weeks after WhatsApp sued Israeli company, NSO group, over the alleged misuse of their spyware Pegasus, that was installed in the phones of 1400 users, including at least 120 Indians. Many of those who were spied on were journalists, rights activists and lawyers.
In a post on it’s securities and advisory page, WhatsApp’s parent company Facebook confirmed the vulnerability on November 14. The post describes the vulnerability as “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.”
Although this description is vague, Cert-in website gives more details. It states that the vulnerability can be “exploited by a remote attacker to execute arbitrary code on the target system.”