MP4 videos to GIFs: WhatsApp vulnerabilities that put users’ data at risk
WhatsApp last week confirmed a new vulnerability which was exploited by hackers through malicious MP4s videos.Updated: Nov 18, 2019 12:40 IST
WhatsApp is the world’s most popular instant messaging application. Naturally, it has become one of the top targets for cyber criminals around the world. Just recently, WhatsApp’s security vulnerabilities were exploited to inject Pegasus spyware and snoop on 1,400 individuals around the world. Facebook has now confirmed another security vulnerability which involved sending malicious MP4 video files.
The new vulnerability shows how simple things such as MP4 videos could put users’ data at risk. In the case of Pegasus as well, spyware could be injected through mere WhatsApp video calls, even if the receiver hasn’t picked up the call. Let’s take a look at some of the recent vulnerabilities that were exploited by hackers using popular file formats on the platform.
GIFs are quite popular across social networking platforms. Hackers, however, found a workaround to hack victim’s phone by sending malicious GIF files. If successful, hackers could have gained remote access to victim’s phone. The bug, now fixed, affected users running Android 8.1 and Android 9 versions.
“The key point that the [vulnerability disclosure] makes is that this issue affects the user on the sender side, meaning the issue could in theory occur when the user takes action to send a GIF. The issue would impact their own device,” WhatsApp confirmed the bug.
Security firm Check Point in August this year pointed out an old WhatsApp vulnerability could allow alter messaging using the popular “quote” feature. Leveraging social engineering tactics to fool end-users, hackers could send a private message to a group participant disguised as a public message.
Before video call-driven Pegasus spyware emerged, WhatsApp in May this year confirmed a spyware attack via audio calls. The bug in WhatsApp audio calling feature enabled hackers to install spyware onto Android and iPhones by mere calling the target. WhatsApp fixed the bug and asked users to update the application on their phone.
“The bug can be exploited based on a decades-old type of vulnerability - a buffer overflow,” Carl Leonard, Principle Security Analyst at cybersecurity company Forcepoint, had said. “While no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information.”
Free 1,000GB data scam
Researchers from cyber security firm ESET earlier this year discovered a scam that involved luring users with a fake message that WhatsApp was giving away 1,000GB of internet data free on its 10th anniversary. The campaign also included a malicious URL aimed at racking up bogus ad clicks. In 2017, a similar scam campaign made the rounds that promised to give away free data.