SUMMARY
MP4 format files can be used by attackers to get into the user’s phone
Images, videos, audio files and subtitle files can be used as attack vectors
More controversy for WhatsApp following the Pegasus spying case
India’s Computer Emergency Response Team (CERT-In) on Saturday (November 16) alerted WhatsApp users about a new vulnerability on the encrypted messaging app which hackers can exploit through MP4 files.
This MP4 file extension is a compressed file format, which can be used for images, videos, audio files and subtitles file among other media. Once the malicious file has been downloaded on the smartphone or a system by a user, it does not require any further authentication. Any potential attacker can use the remote code execution (RCE) or denial of service condition (DoS to further compromise the device or system, making it more vulnerable to other hacks.
At any given point in time, irrespective of the geographical location, the RCE enables the attacker to access the infected smartphones with malware or make changes to the system properties such as turning the microphone or camera on and off without alerting the user.
According to CERT-In, the severity of the vulnerability has been rated ‘high’ and users are urged to update to the latest version of WhatsApp.
Meanwhile, one of the spokespersons from WhatsApp told Inc42 that the company is constantly working to improve the security of their services. “We make public, reports on potential issues we have fixed consistently with industry best practices. In this case, there is no reason to believe users were impacted,” he added.
Further explaining, WhatsApp said, in general not every issue involving “remote code” means that spyware could be used. For one, advance spyware requires vulnerabilities within the operating systems themselves. Second, some bugs are “bigger” than others.
The software affected include:
- WhatsApp for Android prior to 2.19.274
- WhatsApp for iOS prior 2.19.100
- WhatsApp Enterprise Client prior to 2.25.3
- WhatsApp for Windows Phone prior to 2.18.368
- WhatsApp Business for Android prior to 2.19.104
- WhatsApp Business for iOS prior 2.19.100
However, an advisory was put up by Facebook last week (November 13), which warned users that a ‘stack-based buffer overflow’ could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.
The cybersecurity threats are on the rise and with the recent WhatsApp-Pegasus controversy, Indian cybersecurity and law enforcement agencies has been more active than ever in identifying vulnerabilities. CERT-In is caught in the middle of the Pegasus spyware case too, after it had seemingly deleted an advisory about the potential WhatsApp spyware.
Following such incidents, the Indian army has barred the usage of Facebook and WhatsApp among officers who handle sensitive data.
Update 1: November 18, 20.14,
WhatsApp Spokesperson’s statement was added.
