It’s official, buffer overflow bug has been disclosed by Facebook.
Facebook has disclosed a vulnerability in WhatsApp that could allow your phone to be hacked via a malicious video file.
It’s not clear if the video file must be opened or if it can simply be sent to a user to allow a hacker to hack your phone.
The bug was present in the iOS, Android, and even Windows Phone versions of the WhatsApp and WhatsApp for Business apps.
The security and integrity of WhatsApp has been very much in the headlines in recent weeks, and most of these stories have focused on the largest player in the field—WhatsApp. Facebook’s premier messaging platform has patched a number of vulnerabilities, the most notorious of which saw the platform warn users that it had been compromised by the Israeli spyware firm NSO. WhatsApp’s parent Facebook even launched a legal action against NSO for their alleged attacks.
What is Buffer Overflow?
Buffer overflow (or buffer overrun) is an anomaly in a software wherein the program attempts to store more data in a buffer (memory store) than its default capacity, causing the buffer to overflow. It’s the same as if you tried to pour more water in a cup than its capacity, making the water overflow.
In computers, a buffer is a section of memory that’s allocated to store data. If the data overflow, it may corrupt the data (or neighboring data), crash the program or cause the execution of neighboring code (a malicious code, maybe!).
As per its FAQs:
“We plan to share some information with Facebook and the Facebook family of companies. Some of the user’s account information with Facebook and the Facebook family of companies, like the phone number you verified when you registered with WhatsApp, as well as the last time you used our service.”
With their weasel words, Facebook also assured that none of the user’s data will be made publicly visible on their social network. Or rather, it will be concealed under the user’s inaccessible profile. There will also be a feature of turning off data sharing in the settings option. Not surprisingly, vexing to all the data privacy advocates, the option of data sharing was by default turned on, necessitating every single user of WhatsApp over its billion users for manually heading to settings for turning the feature off manually.
With nothing being clear about WhatsApp service of collecting user’s data for ads. It is a reasonable stance that Facebook Integration will undoubtedly weaken the concept of data encryption—a move that is nothing new for the social network character, considering Facebook’s complete business model centers on targeted advertising revolving around user’s personal data.
Facebook has disclosed the existence of a severe vulnerability leading to remote code execution attacks in WhatsApp messaging software.
It was disclosed last week by Facebook that the WhatsApp bug, tracked as CVE-2019-11931, is a stack-based buffer overflow issue which can be triggered by attackers sending crafted .MP4 video files to victims.
While there are not many technical details available, Facebook said that the problem was caused by how the encrypted messaging app parses .MP4 elementary stream metadata. If exploited, the vulnerability can lead to denial-of-service (DoS) or remote code execution (RCE) attacks.
WhatsApp versions prior to 2.19.274 on Android and iOS versions prior to 2.19.100 are affected. Business users of WhatsApp prior to 2.19.104 on Android and 2.19.100 on iOS are also susceptible to attack.
Enterprise Client versions prior to 2.25.3 and Windows Phone versions of WhatsApp including 2.18.368 and below are also impacted.
Facebook says the “potential issue” was discovered internally—it was not disclosed by a security researcher nor was it intercepted in the wild. But in these days of increasing attacks on messaging platforms, such vulnerabilities need to be taken seriously and remedial action needs to be fast and thorough
In October, a cybersecurity researcher uncovered a double-free vulnerability, CVE-2019-11932, which could be used in attacks for compromising chat sessions, files, and messages.
Yes! It’s time to wake up. If you are careful enough about your data privacy, now is the time to delete Facebook, accompanied by ditching WhatsApp. If you are looking for a secure option, consider using Signal, which is a more secure, end-to-end encrypted messaging application for communicating with different users.
But first, What is Signal?
Signal-the messaging app, just like iMessage or WhatsApp or Facebook Messenger, but with enhanced features towards privacy and data security. Indeed, it is so good with its security actions that even Whistleblower, Edward Snowden recommends it and uses it himself—who knows better than him, that is the best app for preventing any type of unwanted snooping.
Signal is absolutely free to use and is available for almost every platform including, Android, iOS, and Chrome with some extra security protocols. The application offers all the basic messaging tools that you need to communicate, including emoji support, read receipts, group chats, audio and video calls.
Just like WhatsApp, Signal makes use of the mobile number for identifying the user and his contacts. This means no new usernames/passwords to think of, as you can dive straight in. for Android, the user is also allowed to share normal SMS or MMS using Signal to the contacts who doesn’t have Signal installed, but the messages won’t be that secured or protected.
Why should we use Signal?
Firstly- Signal protects and safeguards the chats. Everything shared through the app is encrypted, making it impossible for any third-party intruder wanting to intercept the data being shared to the specific recipient. What’s more to it? Well, Signal do not stores any user data, even if the governments or any other agency request for it, this simply means no leak out.
Also, Signal’s code is open source that means anyone have a look at it source code or verify it’s security—but it doesn’t mean that hackers can break into Signal’s encryption (yes it is virtually uncrackable)
It is only for the security experts and other users to make sure that Signal is always maintaining that high data privacy standards just like it claims about it.
Nearly every security investigator who has taken a look at the application, has curtained to give it a big thumbs up from a security point of view, and its underlying data security technology is now being used in various other applications too.
How to use Signal?
Signal is not at all difficult to use as its setup is just like any other messaging app—oh yes! All of its clever privacy technology is concealed behind the scenes. After installing the application, you are asked to enter your phone number. For Android, you can also set Signal as your default app for all the normal text messages (Apple, doesn’t offer you to change it as default SMS application for iOS).
Tap on the pen icon for starting a conversation or simply select the existing thread in order to continue the communication. There are Icons to share messages, or make calls, share photos, attach files, or embed any voice clips that appears inside the conversation window, even though there are a few differences between iOS and Android applications.
You have the feature of setting the messages to get disappeared automatically. For Android, open the menu inside a specific conversation (the three vertical dots), and then tap the Disappearing messages option to set a time limit. For iOS, tap on the banner given at the top of a conversation to repeat the same thing.
Signal is by far the best option for data security and privacy in messenger app, offering layers of security. So what are you waiting for?