WhatsApp bug: Install the latest update to fix it
A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system,' an advisory by CERT-In saidThe agency has asked users to upgrade to latest version of WhatsApp
The Indian cyber security agency, Computer Emergency Response Team-India (CERT-In), has warned WhatsApp users against a vulnerability having a high potential to attack the popular instant messaging app via an MP4 file and compromise individual system without seeking permissions.
The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain.
The agency issued an advisory to app users under its 'high severity rating' section of their website. “A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a special crafted MP4 file to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker. The exploitation doesn’t require any form of authentication from the victim and executes on downloading of malicious crafted MP4 file on the victim's system," said the agency.
CERT-In also added that the successful exploitation of this vulnerability could allow the remote attacker to cause remote code execution (RCE) or denial of service (DoS) condition, which could lead to further compromise of the system.
The only solution, as pointed by the agency on their website is to upgrade to the latest version of the messaging app.
According to media reports, the Minister of Information Technology Ravi Shankar Prasad raised concerns on over the issue and said in a written reply in the Lok Sabha that it is working on the Personal Data Protection Bill to safeguard privacy of citizens, and it is proposed to table it in Parliament.
The government has taken note of the fact that a spyware/malware affected some WhatsApp users. According to WhatsApp, this spyware was developed by an Israel-based company NSO Group and that it had developed and used Pegasus spyware to attempt to reach mobile phones of a possible number of 1,400 users globally. The users include 121 people from India, Prasad told IANS.
Based on media reports on October 31 about spyware Pegasus, CERT-In issued a formal notice to WhatsApp seeking submission of relevant details and information, IT ministry said in details.
Who all are affected by the spyware?
According to the government agency, half-a-dozen WhatsApp software have been "affected" by the current vulnerability.
They have been identified as:
-WhatsApp for Android prior to 2.19.274
-WhatsApp for iOS prior to 2.19.100
-WhatsApp Enterprise Client prior to 2.25.3
-WhatsApp for Windows Phone prior to 2.18.368
-WhatsApp Business for Android prior to 2.19.104
-WhatsApp Business for iOS prior to 2.19.100.
On the other hand, the instant messaging company said that there was no such vulnerability on their app. "WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry-best practices. In this instance, there is no reason to believe users were impacted," a company spokesperson said in a statement shared with IANS.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!