Over the weekend, we had reported Facebook’s confirmation about a vulnerability in certain versions of WhatsApp, the popular instant messaging app, that could potentially allow hackers to take control of your phone by sending you a video file, in the .MP4 format to be specific, laden with malware. Soon after that, the India Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology (MEITY) also issued a notification which confirmed the vulnerability. Perhaps, this vulnerability has received more attention than it would probably have had otherwise, because the Pegasus spyware incident is still fresh in the minds of many users.
“WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted,” a WhatsApp spokesperson tells News18. WhatsApp goes on to say that not every issue involving “remote code” means that spyware could be used. They insist that advanced spyware requires vulnerabilities within the operating systems themselves and secondly, some bugs are “bigger” than others.
What the Facebook-owned WhatsApp seems to be pointing at here is that while certain versions of the app had a vulnerability, it will probably also require a vulnerability within the operating system to allow an advanced spyware to successfully deploy itself on a target device. WhatsApp insists that no users have been impacted by this bug. However, that may be scant consolation for many, since it simply complicates matters if the likes of Apple, Google and Microsoft aren't aware of, or potentially delay patching, a possible vulnerability in their smartphone and computing platforms.
Facebook had confirmed that specific versions of WhatsApp are impacted by the potential vulnerability. These include WhatsApp for Android versions prior to 2.19.274, WhatsApp for iOS versions prior to 2.19.100, the Enterprise Client versions prior to 2.25.3, the Windows Phone versions before and including 2.18.368, the WhatsApp For Business for Android versions prior to 2.19.104, and WhatsApp For Business for iOS versions prior to 2.19.100. The best thing you can do right now is update WhatsApp apps and clients that you use, be it on Android, iOS, Windows and whatever other platform you may be accessing it on.
“A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100,” the official advisory issued by Facebook regarding the latest WhatsApp vulnerability, had noted at the time. The thing with this, despite WhatsApp’s insistence that even the OS bugs have some weightage in the spyware successfully doing what it wants to do, is that the method of using a .MP4 video file is incredibly simple. A lot of users leave the media on “auto-download” on their phones, which just makes the process easier for the hacker. Once the spyware is in, it can potentially get access to the other data in your phone too, depending on what it is configured to do.
CERT-In has also advised users to upgrade to the latest versions of WhatsApp.