WhatsApp Vulnerability – Allowing Hackers to Perform DOS Attack by Sending Crafted MP4 File
Last week Facebook has disclosed the existence of a critical Whatsapp vulnerability which is classified as a stack-buffer overflow issue. This flaw will allow the attacker to remotely access files stored in the app and messages.
There are over 1.5 billion monthly active users all over the world and in India alone there is 400 million active users.
A WhatsApp official had written letters to CERT-in informing that a specific number of Indian users were effected and data was stolen from their smartphones.
The flaw is tracked as CVE-2019-11931 and was caused by how the encrypted messaging app parses.MP4 elementary stream metadata.
Facebook, further noted in its advisory that WhatsApp breach could also result in a Denial of Service (DoS) attack.
There are no reports of the WhatsApp vulnerability being actively exploited. However, it is recommended that users update their software.
The vulnerability could be exploited using malicious MP4 video files which could potentially allow an attacker to remotely access data without any source of authentication.
Version Affected
The vulnerability affected the Android versions before 2.19.274, Business for iOS versions before 2.19.100, iOS versions before 2.19.100, Business for Android versions before 2.19.104, Enterprise Client versions before 2.25.3, Windows Phone versions before and including 2.18.368
Recent WhatsApp Vulnerability
The announcement of this flaw comes weeks after the Pegasus breach.
Pegasus is a remote access Trojan (RAT) designed to be remotely installed. This helps the attacker to enable the remote access and control of information, including calls, messages, and location on mobile devices using the Android, iOS, and BlackBerry operating systems.
Pegasus was used to target attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials, including those from India.
NSO’s actions caused damages to WhatsApp of more than $75,000, in addition to injuring its reputation, public trust, and goodwill.
