Is It Safe For You To Use WhatsApp? CERT-In has alerted users about a new vulnerability where hackers can attack the messaging platform using MP4 files

While WhatsApp is caught up amid controversies, the Facebook-owned messaging app has landed itself in trouble again. Ministry of Electronics and IT (MeitY) run the Indian Computer Emergency Response Team (CERT-In) has alerted users about a new vulnerability. According to CERT-in, hackers can attack the messaging platform using MP4 files.

According to the official note, this vulnerability does not require any form of authentication from the victim and thus affects the system when the maliciously crafted file is downloaded by the user. "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a Denial of Service (DoS) or Remote Code Execution (RCE)," the note said.

For the uninitiated, according to reports, RCE is a situation where the hacker can get access to someone else's computing device and make changes no matter where the device is geographically located.

CERT-In also said that the vulnerability can affect people using android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100. The national nodal agency has also advised the users to update their WhatsApp application and update it to the latest version.

In response to CERT-In's alert, WhatsApp spokesperson said, "WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance, there is no reason to believe users were impacted."

Is WhatsApp Safe?

The Facebook-owned messaging app has been making the headlines for the past few weeks due to privacy and data breach-related issues. In the latest privacy-related controversy, reports revealed that spyware "Pegasus' snooped into the phones of 1,400 people across the world earlier this year through WhatsApp. The Facebook-owned messaging platform had filed a case against Israel-based surveillance firm NSO Group in the federal court, accusing them of allegedly being involved in the breach.

According to WhatsApp, the company came across the cyber attack in May this year where its video calling feature was being compromised to send malware to users. According to media reports, through this attack, NSO helped the government spies get access to the phones of 1,400 users across four continents. The targets were mainly diplomats, political dissidents, journalists and senior government officials. "This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones," WhatsApp said in a statement.

Following this issue, it was reported that the Indian government planned to meet with Reserve Bank of India (RBI) and the National Payments Corporation of India (NPCI) about the risks of allowing social media companies to offer online payment services. Keeping the risks in mind, the central bank asked NPCI to not allow a full-scale launch of WhatsApp Payments in India and also told the Supreme Court that the company is not compliant with data localisation norms.

Tussle In India

The messaging company has been locking horns with the Indian authorities since last year over launch of WhatsApp Payments and solving the issue of spread of fake news.

The central government has pulled up the Facebook-owned company after a fake news about kidnapping caused "unfortunate killings" in the country. Following several such incidences, MeitY has asked the company to devise a solution to trace the originator of the fake message. However, the company declined the request stating that this would require them to break its encryption feature.

In response, IIT Madras professor V Kamakoti, who serves on the board of National Security Advisory Board (NSAB) proposed ways to ensure traceability without breaking encryption. According to Prof Kamakoti, WhatsApp can embed information about the originator of a text along with the encrypted message. Such information will be encrypted but can be shown to law enforcement if the situation demanded.

According to a report by MediaNama, Dr Manoj Prabhakaran, a computer science professor at IIT Bombay said that Kamakoti's proposal might affect users' privacy. Prabhakaran who submitted his analysis on behalf of Internet Freedom Foundation (IFF) to the Madras High Court belives that traceability might not be an effective tool to combat fake news. He highlighted that one may hire several thousand people to serve as originators of content, thus the main brain behind this might remain untraceable.