The new vulnerability is found in Android versions prior to 2.19.274; iOS versions prior to 2.19.100
WhatsApp. (Photo: iStock)
Online instant messaging service WhatsApp on Monday said iOS and Android users data was not affected because of the new bug where an infected video file in MP4 format could potentially allow an attacker to remotely access messages and files stored in the users’ phones.
On Sunday, reports claimed that hackers exploited WhasApp’s vulnerability to deploy the malware to user’s device to steal their sensitive data.
“WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistently with industry-best practices. In this instance, there is no reason to believe users were impacted,” a company spokesperson was quoted as saying in an IANS story.
Advertisement
The company has already issued a security update to fix the bug. On the other hand, the social media giant has sued the Israeli firm responsible for the (now-fixed) malicious attack that affected as many as 1,400 selected users globally including human rights activists and journalists.
“The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” the company said.
The vulnerability is classified as “critical” severity that affected an unknown code block of the component MP4 File Handler in WhatsApp.
Meanwhile, the Israeli firm Pegasus-NSO Group, issue snowballed into a political one, with the Indian government directing WhatsApp to submit a reply over the matter.
The government also denied either purchasing or planning to purchase the infamous software in question.
The new vulnerability is found in Android versions prior to 2.19.274; iOS versions prior to 2.19.100; Enterprise Client versions prior to 2.25.3; Business for Android versions prior to 2.19.104; Business for iOS versions prior to 2.19.100; and Windows Phone versions before and including 2.18.368.
The RCE vulnerability may allow hackers to perform the attack remotely without any sort of authentication.
(With input from agencies)
Advertisement
