Never miss a great news story!
Get instant notifications from Economic Times
AllowNot now


You can switch off notifications anytime using browser settings.
11,963.00-55.4
Stock Analysis, IPO, Mutual Funds, Bonds & More

WhatsApp vulnerability: CERT-In issues advisory; company says users unaffected

The advisory comes in the backdrop of recent developments where WhatsApp had informed the Indian government in September that over hundred Indian users were targeted by the Israeli spyware -- Pegasus.

PTI|
Nov 20, 2019, 05.22 PM IST
0Comments
BCCL
tip
An Indian cyber security agency has warned WhatsApp users against a "vulnerability" that can compromise their individual account without seeking permissions even as the popular social messaging app said users have not been impacted.

The Computer Emergency Response Team-India (CERT-In) has issued an advisory in this context calling the severity of the threat, being spread by an MP4 file, as "high."

The advisory comes in the backdrop of recent developments where WhatsApp had informed the Indian government in September that over hundred Indian users were targeted by the Israeli spyware -- Pegasus.

"A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system," the latest advisory said.

The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain.

A WhatsApp spokesperson said the company is constantly working to improve the security of their service.

"We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted," the spokesperson said.

The Indian cyber security agency's advisory suggested "upgrading" to the latest version of WhatsApp to combat or tide over the problem.

Describing the malicious action of the vulnerability in the popular social messaging app (application), it said, "A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary stream metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system."

It added that this could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker.

"The exploitation does not require any form of authentication from the victim's end and executes on downloading of malicious crafted mp4 file on victim's system," it said.

Successful exploitation of this vulnerability, it said, could allow the remote attacker to cause remote code execution (RCE) or denial of service (DoS) condition, which could lead to further compromise of the system.

It stated half-a-dozen WhatsApp software have been "affected" by the current vulnerability.

They have been identified as WhatsApp for Android prior to 2.19.274, WhatsApp for iOS prior to 2.19.100, WhatsApp Enterprise Client prior to 2.25.3, WhatsApp for Windows Phone prior to 2.18.368, WhatsApp Business for Android prior to 2.19.104 and WhatsApp Business for iOS prior to 2.19.100. NES NES TDS TDS

Also Read

WhatsApp ‘exits’ accounts of J&K users

WhatsApp snooping row: Baghel orders probe

WhatsApp introduces catalogs for small businesses

WhatsApp introduces 'Catalogs' for small businesses

Snooping boosts government's WhatsApp traceability case

Comments
Add Your Comments
Commenting feature is disabled in your country/region.
Download The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.

Other useful Links


Follow us on


Download et app


Copyright © 2019 Bennett, Coleman & Co. Ltd. All rights reserved. For reprint rights: Times Syndication Service