WhatsApp confirms no users were impacted by new vulnerability1 min read . Updated: 18 Nov 2019, 02:52 PM IST
- The outcome of the vulnerability is similar to that of the recent Pegasus exploit, which allowed hackers to infiltrate and gain control by placing a missed call
- All you need to do is make sure you’re not downloading such files from unknown sources
The India Computer Emergency Response Team (CERT-In) has issued a vulnerability note for WhatsApp users. Apparently, attackers can compromise your smartphone by sending a malicious MP4 file via the world’s most popular instant messaging service.
The outcome of the vulnerability is similar to that of the recent Pegasus exploit, which allowed hackers to infiltrate and gain control over a user’s phone by simply placing a missed call. However, in this case the user will have to actually download the MP4 file that is being sent to him or her, which makes it slightly easier to monitor manually than the Pegasus exploit earlier.
All you need to do is make sure you’re not downloading such files from unknown sources. MP4 file formats are often used to share songs and other audio files. “The script is executed only when the user has downloaded the file," explained ethical hacker and web security researcher Ehraz Ahmed.
Since the attacker can execute any code they want on your phone, this vulnerability too would allow them to look at your texts, listen to you using your phone’s microphones etc, at least theoretically. “What code will run on your system will depend entirely on what level of access the attacker is looking for," Ahmed added.
However, WhatsApp has confirmed that a patch had been issued for this vulnerability earlier, and that no users were harmed. “WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted," a WhatsApp spokesperson told Mint.
According to CERT and Facebook’s advisories on the loophole, the following WhatsApp versions are affected by the vulnerability.
- WhatsApp for Android prior to 2.19.274
- WhatsApp for iOS prior 2.19.100
- WhatsApp Enterprise Client prior to 2.25.3
- WhatsApp for Windows Phone prior to 2.18.368
- WhatsApp Business for Android prior to 2.19.104
- WhatsApp Business for iOS prior 2.19.100
That means if you are on any of these versions of WhatsApp, you should update to newer versions of the app. The current version of WhatsApp on Google Play seems to be version 2.19.330, while the iOS version stands at version 2.19.112.