If you’ve recently received an odd-looking MP4 file on WhatsApp, you better be wary of it. A brand new attack is doing the rounds that is exploiting a security vulnerability in the chat application on both Android and iOS devices. It involves sending a special MP4 file to the target account that triggers the remote code execution (RCE) and denial of service (DoS) attacks. These attacks allow the hacker to snoop around the victim’s device, therefore users are advised to update their WhatsApp in order to avoid getting targeted.
Classified as ‘Critical’ in terms of severity, the security vulnerability has affected an unknown portion of code in the MP4 file handler component in WhatsApp. Naturally, Facebook issued an advisory in this regard.
“A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” said the social media giant in a statement.
This vulnerability has been found on all Android versions prior to 2.19.274 and all iOS versions prior to 2.19.100. It allows hackers to deploy malware on the victim’s device that can steal important files and perform surveillance as well. The RCE vulnerability, in particular, enables hackers to perform remote attacks without any form of authentication.
As it happens, this isn’t the first time this year that a source has used an MP4 system to target accounts on WhatsApp. Pegasus, a piece of spyware created by Israeli surveillance firm NSO, was used to spy on Indian journalists and human rights activists by exploiting WhatsApp’s video calling system.
There is definitely a need to not only hold cyber attackers accountable for their actions but also to revamp WhatsApp’s security infrastructure to fix such vulnerabilities.