A WhatsApp bug lets malicious media files spread through group chats

https://www.malwarebytes.com/blog/news/2026/01/a-whatsapp-bug-lets-malicious-media-files-spread-through-group-chats

29•iamnothere•3h ago

Comments

jeroenhd•1h ago

Awful reporting. Vague workarounds for an issue "reported by Google Project Zero" without links to said report, but with links to Forbes (who interviewed one of WhatsApp's competitors about WhatsApp's security while their own app doesn't even do proper E2EE). Was there a human involved in publishing this page? If so, was leaving out the link to Project Zero intentional?

Anyway, according to Google Project Zero, the issue has been fixed with a comprehensive fix: https://project-zero.issues.chromium.org/issues/442425914

You can always enable lockdown mode and disable downloading media to protect against undetected vulnerabilities of course, but the bug has been fixed and you just need to update for the problem to go away.

mikkupikku•55m ago

Journalists (and their editors) are allergic to proper citations. This is just standard reporting stuff, not unusual in the least.

charcircuit•32m ago

What is the actual implication of the attack. That your mobile data might be wasted?

testdelacc1•18m ago

The implication being that if the attacker could also craft a malicious payload that would cause a buffer overflow, they could chain the exploits to get remote code execution on the client.

While anyone can perform the attack described in the bug, it takes a very sophisticated attacker to craft the payload that can exploit Android’s media library.

toast0•15m ago

Sure, excess data use.

But media files that exploit parsers is the bigger issue. Errors in parsing have allowed for code execution, etc, in whatever context the parser runs; look into Stagefright and the many similar exploits before and after. Accepting media files from anywhere without user interaction is pretty risky. WhatsApp has a media file sanitizer, but it may not catch everything.

Disclosure: I worked at WhatsApp until 2019; but not on the media file sanitizer.

j45•25m ago

Neat tool.

Prolificity (ooh, invented word?) could be more than quantity of words, maybe quality too?

Qwen3-Coder-Next

Agent Skills

Prek: A better, faster, drop-in pre-commit replacement, engineered in Rust

What's up with all those equals signs anyway?

France dumps Zoom and Teams as Europe seeks digital autonomy from the US

AI Didn't Break Copyright Law, It Just Exposed How Broken It Was

Heritability of intrinsic human life span is about 50%

Defining Safe Hardware Design [pdf]

Bunny Database

Kilobyte is precisely 1000 bytes

Launch HN: Modelence (YC S25) – App Builder with TypeScript / MongoDB Framework

The Everdeck: A Universal Card System (2019)

Show HN: difi – A Git diff TUI with Neovim integration (written in Go)

Show HN: Sandboxing untrusted code using WebAssembly

Show HN: Octosphere, a tool to decentralise scientific publishing

Floppinux – An Embedded Linux on a Single Floppy, 2025 Edition

Emerge Career (YC S22) is hiring a product designer

Show HN: C discrete event SIM w stackful coroutines runs 45x faster than SimPy

GitHub Browser Plugin for AI Contribution Blame in Pull Requests

Data Brokers Can Fuel Violence Against Public Servants

Tadpole – A modular and extensible DSL built for web scraping

Banning lead in gas worked. The proof is in our hair

The Codex App

Athena Parthenos: A Reconstruction (2000)

Anki ownership transferred to AnkiHub

Show HN: Safe-now.live – Ultra-light emergency info site (<10KB)

Todd C. Miller – Sudo maintainer for over 30 years

Archive.today is directing a DDoS attack against my blog?

How does misalignment scale with model intelligence and task complexity?

The next steps for Airbus' big bet on open rotor engines