Clipped from: https://www.business-standard.com/technology/tech-news/whatsapp-security-flaws-cert-in-warns-cyberattack-126050600842_1.html
Cert-In has warned WhatsApp users about multiple security flaws that could allow attackers to execute malicious code and gain unauthorised access on affected devices
)
India’s Computer Emergency Response Team (Cert-In) has issued a vulnerability note, warning users about multiple security flaws in WhatsApp that could expose devices to serious risks, including unauthorised access and potential system compromise. The advisory highlights that attackers could exploit these vulnerabilities by sending specially crafted attachments. According to Cert-In, the issue affects WhatsApp users on iOS, Android, and Windows platforms, with certain versions identified as vulnerable. The agency has categorised the severity as medium, but noted that the potential impact could still be significant if exploited. WhatsApp has acknowledged the vulnerabilities and said the issues have been patched in the latest versions of the app across Android, iOS, and Windows platforms. According to notes shared on WhatsApp’s security advisories page, the Android and iOS-specific vulnerabilities were disclosed by external researchers through Meta’s Bug Bounty programme and the Meta Security team. The Windows-specific vulnerability was also reported by an external researcher through Meta’s Bug Bounty programme. WhatsApp said it has not found any evidence that these vulnerabilities were exploited in the wild.
What is the risk for users
Cert-In said the vulnerabilities could allow attackers to spoof file types, execute arbitrary code, and bypass security protections on affected devices. In simpler terms, this means a malicious file could appear harmless but carry hidden code that runs once opened.
The advisory also warns of risks such as full system compromise and unauthorised access, depending on how the vulnerabilities are exploited. In some cases, attackers could trick the app into loading malicious content from external sources controlled by them.
How the attack works
The issue stems from weaknesses in how WhatsApp handles certain types of files and messages. Cert-In noted that improper handling of attachment filenames and incomplete validation of messages containing external media links create an opening for attackers.
By sending specially crafted attachments, an attacker can manipulate how the app processes files, potentially triggering malicious actions without the user realising the risk.
Who is affected
The vulnerabilities impact multiple versions of WhatsApp across platforms, including:
- WhatsApp for iOS (v2.25.8.0 to v2.26.15.72)
- WhatsApp for Android (v2.25.8.0 to v2.26.7.10)
- WhatsApp for Windows (versions prior to v2.3000.1032164386.258709)
Cert-In has said end users running these versions can be affected.
What users should do
Cert-In has advised users to update WhatsApp to the latest available version to reduce the risk. Installing updates ensures that known vulnerabilities are patched and security protections are strengthened.
The agency emphasised that timely updates remain one of the most effective ways for users to protect their devices against such threats.
Why this matters
With WhatsApp being one of the most widely used messaging platforms, vulnerabilities like these can potentially affect a large number of users. Even though the severity rating is classified as medium, the ability to execute code or bypass protections makes the issue important for users to take seriously.
Cert-In’s advisory highlights the growing need for users to stay updated and cautious, especially when dealing with unexpected attachments or links received on messaging platforms.
aniltikotekar4sme.com 