CERT-In: Multiple vulnerabilities reported in WhatsApp; remote attacker can access info

The Indian Computer Emergency Response Team (CERT-In) has warned WhatsApp users in India of multiple vulnerabilities it detected in the instant messaging platform, which could lead to breach of sensitive user data and personal information.

In a “high” severity rating advisory, the CERT-In said that the vulnerabilities had been detected in a certain versions of WhatsApp and WhatsApp Business for both Android and iOS platform.

“Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system,” the advisory said.

The vulnerabilities, CERT-In said, exist in WhatsApp due to a cache configuration issue and missing audio decoding pipeline, which could give hackers the potential to “ execute arbitrary code or access sensitive information on a targeted system”.

To prevent the threat, the government’s cybersecurity agency has asked users to update their WhatsApp on Android and iOS to the latest versions.

This is not the first time that CERT-In has issued a “high” severity rating advisory, warning users of the presence of multiple vulnerabilities in the instant messaging platform. In November last year, the cybersecurity agency had issued a similar warning to users, cautioning them that it had found two major vulnerabilities, namely improper access control and user-after-free vulnerability.

The improper access control vulnerability was found to be present in the screen lock feature of the instant messaging platform and could be used to communicate on WhatsApp by giving voice commands to Siri, an audio assistant in iOS phones. On the other hand, use-after-free vulnerability allowed attackers to target users by sending a specially crafted animated sticker during a video call.

Similarly, in November 2019, CERT-In had warned WhatsApp users about a buffer overflow vulnerability with the platform, which allowed an attacker to remotely target a system by sending a specially crafted MP4 audio or video file.

The CERT-In had then warned that successful exploitation of this vulnerability would allow an attacker to case remote code execution or denial of service condition for the users.