From the past few years, WhatsApp has remained the favorite target for hackers and social intruders. The popular messaging service has recorded various data theft issues in the past. It has remained in headlines since recent weeks over the vulnerabilities and data thefts by Israeli spyware firm NSO. The messaging app is once again in the talks as Facebook has issued an official advisory regarding a critical bug posing threat from malicious MP4 files.
In detail, the MP4 can trigger tag by sending a specially crafted MP4 file. The potential hacker can inject code by parsing the elementary stream metadata of an MP4 file that could result in DoS (Denial-of-service attack) or can even initiate Remote Code Execution. It does not need any authentication to perform the attack remotely. The company has classified the vulnerability as ‘Critical’ due to the severe consequences if someone misuses the loophole.
The critical bug is found on the WhatsApp versions before 2.19.274 on the Android and iOS versions prior to 2.19.100. Similarly, the issue is present on the Enterprise client versions 2.25.3 and older; Windows versions including and prior to 2.18.368; Business for Android version 2.19.104 and older; Business for iOS versions before 2.19.100.
The hackers can inject malware or any explicit code which could have compromised data and essential information of several users. It can even become a backdoor for surveillance purposes. However, the issue was found by the internal team and was not disclosed by any eternal researcher or analyst. But no one knows that someone could have used it to intercept the data. We expect the company to release an immediate update patching the bug. The issue can be tacked under the CVE-2019-11931 code.
Additionally, WhatsApp recently issued grave concerns over Pegasus, a spyware tool to intercept messages developed by Isreal based cyber intelligence company NSO Group. The spyware was used to snoop 1400 individuals throughout the world, especially in India. The targeted accounts were of some journalists and human rights activists. However, Whatsapp replied to the Indian government when they sought an explanation over the issue by saying that “We agree with the government of India’s strong statement about the need to safeguard the privacy of all Indian citizens. That is why we’ve taken this strong action to hold cyber attackers accountable and why WhatsApp is so committed to the protection of all user messages through the product we provide,” a WhatsApp spokesperson had said in a statement.