WhatsApp has patched a dangerous spoofing issue that enabled attackers to send executables that appeared to receivers like images, PDFs, or other files.
WhatsApp warns that the flaw affects Windows users using app versions prior to 2.2450.6.
Vulnerable WhatsApp versions show an attachment based on its MIME type, not the filename extension. MIME, or Multipurpose Internet Mail Extensions, is a standard that extends message format to support attachments – it’s a label that tells the app what kind of file it’s dealing with.
“A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp,” Meta explains in its advisory.
For example, an attacker could send a user a message with a malicious ‘.exe’ attachment labeled as ‘image/jpeg.’ For users, it would appear as a safe-to-open file.
However, if the user opens such a file, WhatsApp will use the filename’s extension to handle it, which could result in the unintentional execution of arbitrary code.
Any potential attack would still rely on users interacting with the file. For this, hackers would need to obtain and exploit some level of user trust to trick them into manually opening the attachment.
There is no information on whether the flaw has been exploited by attackers in the wild.
Because of the required user interaction and the potential attack complexity, the vulnerability has been assigned a severity score of 6.7 out of 10.
The flaw was reported via a responsible disclosure by an external researcher through Facebook’s security bounty program.
Users are advised to update WhatsApp to the latest version to protect themselves.
Your email address will not be published. Required fields are markedmarked