The Indian Computer Emergency Response Team (CERT) has taken note of a vulnerability in WhatsApp that allowed a remote attacker to target phones by sending a compromised video file in MP4 file format. The threat under the Vulnerability Note CIVN-2019-0181 has been categorised in the ‘High Severity’ category. The WhatsApp issue impacts Android and iOS users, according to the advisory put out by the company and CERT.
As per the security message notified by WhatsApp, “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system.”
The new threat is reported to trigger a buffer overflow conditions leading to the execution of arbitrary code by the attacker. Also, the exploitation does not require any form of authentication from the victim end. It executes on downloading of a malicious crafted MP4 file on the receiver’s system, which can be sent by anyone who has access to a user’s mobile phone number being used for WhatsApp.
The security message says, “Successful exploitation of this vulnerability could allow the remote attacker to cause Remote Code Execution (RCE) or Denial of Service (DoS) conditions, which could lead to further compromise of the system.” A RCE attack is usually used to run malware on the device, and the attack is used to steal information from the device, without the user knowing.
WhatsApp’s advisory also notes that the issue affects Android version prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
However, a WhatsApp spokesperson said there is no reason to believe users were impacted. “WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed consistent with industry best practices,” the statement said. Still users are advised to update to the latest version where the problem has been fixed.
The advisory from Facebook does not give any more details abut the issue. All we know is that the attacker could exploit the flaw to target the system, which sounds similar to how most malware or spyware work.
WhatsApp is currently under the spotlight after the Pegasus snooping case where an Israel-based spyware maker NSO Group used its sophisticated spyware to target the messaging app and then hack into phones. Pegasus exploited a flaw in WhatsApp’s video calling feature and once installed on the device, it would have complete control over the device, including its phone calls, messages, and even be remotely used to turn on the camera or microphone.