Google Alert – WhatsApp users at risk from ‘specially crafted’ MP4 video files – tech (CVE Vulnerability)

Facebook-owned WhatsApp has flagged another critical security risk for its millions of users on Android, iOS and Windows platform. The latest security exploit involves malicious MP4 video files which could allow hackers to execute snooping attack. WhatsApp says these ‘specially crafted MP4 file’ can trigger the remote code execution (RCE) and denial of service (DoS) cyber attack.

Facebook has issued an advisory, saying “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE.”

According to Facebook, the new security vulnerability is found on Android versions prior to 2.19.274; iOS versions prior to 2.19.100; Enterprise Client versions prior to 2.25.3; Business for Android versions prior to 2.19.104; Business for iOS versions prior to 2.19.100; and Windows Phone versions before and including 2.18.368.

“The vulnerability is classified as ‘Critical’ severity that affected an unknown code block of the component MP4 File Handler in WhatsApp,” reported on Saturday.

According to the report, hackers can use the exploit to inject malware into victim’s device to access sensitive files and even use it for surveillance purpose.

WATCH: Spyware attack on Indians via WhatsApp? | ‘Pegasus’ controversy explained 

The latest report comes shortly after WhatsApp confirmed it was targeted by Pegasus, a spyware tool made by Israel-based cyber intelligence company NSO Group. The spyware, which targeted WhatsApp’s video calling system, was used to snoop on 1,400 individuals globally and in India. The targeted individuals included human rights activists and journalists.

The Indian government sought an explanation from WhatsApp over the spyware hacking. “We agree with the government of India’s strong statement about the need to safeguard the privacy of all Indian citizens. That is why we’ve taken this strong action to hold cyber attackers accountable and why WhatsApp is so committed to the protection of all user messages through the product we provide,” a WhatsApp spokesperson had said in a statement.

(with inputs from IANS)


Article source at