tech2 News StaffNov 19, 2019 12:06:56 IST
Editor's note: The article was originally published on 17 November and has been updated today with CERT-IN's official statement.
Facebook has disclosed a vulnerability in WhatsApp that could allow your phone to be hacked via a malicious video file.
It's not clear if the video file must be opened or if it can simply be sent to a user to allow a hacker to hack your phone.
The bug was present in the iOS, Android, and even Windows Phone versions of the WhatsApp and WhatsApp for Business apps.
According to Facebook: "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user."
The bug has been patched in the latest versions of WhatsApp, and was reported to India's CERT-IN following the release of the patch. CERT-IN has rated the severity of the vulnerability as "high" and advised users to update their app.
More recently, WhatsApp has been at the centre of controversy involving state-sponsored spyware made by Israeli firm NSO Group. The suite of tools, called Pegasus, costs millions of dollars and is only accessible to nation-states. It was revealed that this spyware suite was used to targets over 1,400 journalists and activists around the world, including several dozen such people in India. WhatsApp was one of the vectors used to spread the attack. Given the mechanism by which Pegasus exploited WhatsApp, it's unlikely that this mp4 vulnerability was involved.
Regardless, if you're on the following versions of the WhatsApp app, it's high time you updated your app:
- Android versions prior to 2.19.274
- iOS versions prior to 2.19.100
- Enterprise Client versions prior to 2.25.3
- Windows Phone versions before and including 2.18.368
- Business for Android versions prior to 2.19.104
- Business for iOS versions prior to 2.19.100.
In a statement to Tech2, WhatsApp had the following to say: "WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistently with industry best practices. In this instance, there is no reason to believe users were impacted."
On the official website, CERT-IN has said in a statement, "A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a special crafted MP4 file to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker. The exploitation doesn’t require any form of authentication from the victim and executes on downloading of malicious crafted MP4 file on the victim's system.”