India’s cyber security agency, the Computer Emergency Response Team (CERT-In) recently issued an alert against multiple vulnerabilities in older versions of WhatsApp and WhatsApp Business for iOS.
The severity rating of the vulnerability has been marked high.
According to the alert issued by CERT-In, there are two critical vulnerabilities in WhatsApp and WhatsApp Business of iOS — an Improper Access Control vulnerability (CVE-2020-1908) and a User-After-Free vulnerability (CVE-2020-1909).
These vulnerabilities have been disclosed by WhatsApp as part of its November update to its security advisories.
Maharashtra Cyber warns users of ‘WhatsApp Hijack Fraud’
Remote hacker
The improper Access Control vulnerability can allow hackers to access WhatsApp even after a phone is locked. The vulnerability affects WhatsApp iOS versions prior to the v2.20.100.
“Improper authorisation of the Screen Lock feature in WhatsApp and WhatsApp Business for iOS prior to v2.20.100 could have permitted use of Siri to interact with the WhatsApp application even after the phone was locked,” said WhatsApp.
The use-after-free in a logging library in WhatsApp can be exploited by a remote attacker “by sending a specially crafter animated sticker to the target while placing a WhatsApp video call on hold, resulting in several events occurring together,” said the CERT advisory.
The vulnerability impacting iOS prior to v2.20.111 and WhatsApp Business for iOS prior to v2.20.111 could have resulted in “memory corruption, crashes and potentially code execution,” according to WhatsApp.
The CERT-In advisory suggests users install and update to the latest version of WhatsApp with security patches from the App Store.