A vulnerability has been identified in WhatsApp's code. This security flaw stems from an "identity theft issue" within the instant messaging service, according to Meta, WhatsApp's parent company. The flaw has been spotted by an external researcher as part of Meta's Bug Bounty program.
How could hackers trick WhatsApp users?
Put simply, the app handled attachments in two different ways: it used their MIME type (a label indicating the attachment's content, such as “image/png” or “application/pdf”) to display them correctly, but relied on their file extension (such as .jpg, .exe, .pdf, etc.) to decide which program to open them with.
To exploit the flaw, hackers can send a file containing dangerous code, but give it a familiar and reassuring extension like .jpeg. WhatsApp would then display the malicious attachment as a simple image. If the user trusts WhatsApp and opens the file, the computer will launch a program designed to correctly execute the document. Windows may end up executing malicious code provided by cybercriminals. This "malicious mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment," Meta summarizes.
Install the WhatsApp update as soon as possible
To protect WhatsApp users on Windows, Meta has deployed an update. As the Californian group indicates, WhatsApp version 2.2450.6 contains a fix for the vulnerability. Meta recommends that Windows users update their application immediately to avoid unpleasant surprises. To update To update WhatsApp on Windows, open the app, click the three dots in the top left corner, then go to Settings > About. If an update is available on your computer, a link will offer to download the latest version. Simply follow the instructions to install it.
This isn't the first time WhatsApp has uncovered a flaw that puts its users at risk. Last month, the messaging service patched a vulnerability exploited by Graphite, a spyware virus developed by the firm Paragon. This formidable spyware managed to compromise 90 WhatsApp users, including journalists and members of civil society. WhatsApp also recently patched a privacy breach. This allowed users to bypass the single-view feature and take screenshots of a message or sent photo. It only affected the desktop version of WhatsApp.
Source: WhatsApp
0 Comments