The Indian Computer Emergency Response Team (CERT-In), the nodal agency for handling cyber-security related threats, has asked WhatsApp users in India to update their application to the latest version following a MP4 video file vulnerability recently reported by Facebook.
“A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary metadata of an MP4 file.
A remote attacker could exploit this vulnerability by sending a special crafted MP4 file to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker. The exploitation doesn’t require any form of authentication from the victim and executes on downloading of malicious crafted MP4 file on the vicitims system,” said CERT-In on its website.
The agency said the vulnerability could be exploited by a remote hacker to execute arbitrary code on the targeted device
“Successful exploitation of this vulnerability could allow the remote attacker to cause Remote Code Execution (RCE) of Denial of Service (DoS) condition, which could lead to further compromise of the system,” it added.
WhatsApp, however, said that no users were affected by the new vulnerability.
“WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted,” a WhatsApp spokesperson told Mint.
According to Facebook’s advisory, the security vulnerability is found on Android versions prior to 2.19.274; iOS versions prior to 2.19.100; Enterprise Client versions prior to 2.25.3; Business for Android versions prior to 2.19.104; Business for iOS versions prior to 2.19.100; and Windows Phone versions before and including 2.18.368.
WhatsApp was recently targeted by hackers using Pegasus, a spyware made by Israel-based NSO Group. The spyware exploited vulnerability in the video calling feature of WhatsApp and allowed hackers to snoop on 1,400 individuals around the world. Some users in India were also targeted by the Pegasus spyware. The Indian government has sought an explanation from the instant messaging company over the spyware hacking.
“We agree with the government of India’s strong statement about the need to safeguard the privacy of all Indian citizens. That is why we’ve taken this strong action to hold cyber attackers accountable and why WhatsApp is so committed to the protection of all user messages through the product we provide,” a WhatsApp spokesperson had said.