A government agency has warned against a vulnerability in WhatsApp that can compromise individual systems without seeking permission. The note of caution comes close after recent developments where WhatsApp informed the Indian government that Israeli spyware Pegasus had targeted more than hundred Indian users.
In its latest advisory, the Computer Emergency Response Team-India (CERT-In) pointed out that the vulnerability in WhatsApp could be exploited by an MP4 file. The agency has classified the threat as "high". CERT-In is the nodal agency under Ministry of Electronics and Information Technology which checks hacking, phishing and fortifies security-related defences of the Indian internet domain.
"A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system," said CERT-In said in its advisory.
"A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary stream metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system," the agency further clarified.
This loophole allows an attacker to easily execute arbitrary code on systems. "The exploitation does not require any form of authentication from the victim's end and executes on downloading of maliciously crafted mp4 file on victim's system," it said.
Successfully exploiting this vulnerability allows attackers to access and make changes to the affected device from a remote location. The attacker could also lock out users from using their devices by exploiting this loophole.ALSO READ:Alert! This WhatsApp feature could be draining your mobile phone's battery
CERT-In's advisory suggested "upgrading" to the latest version of WhatsApp to combat or tide over the problem.
So far, the agency stated has identified half-a-dozen WhatsApp software "affected" by the current vulnerability. These include WhatsApp for Android prior to 2.19.274, WhatsApp for iOS prior to 2.19.100, WhatsApp Enterprise Client prior to 2.25.3, WhatsApp for Windows Phone prior to 2.18.368, WhatsApp Business for Android prior to 2.19.104, and WhatsApp Business for iOS prior to 2.19.100.
Meanwhile, WhatsApp has clarified that no users have been affected in the latest security breach.
"WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted," a WhatsApp spokesperson said.
(With PTI inputs)