Meta has released security patches for WhatsApp addressing two vulnerabilities that could enable attackers to execute malicious URLs and mask harmful files on user devices. The flaws were discovered in the messaging platform's handling of Instagram Reels and file processing mechanisms.
The more critical vulnerability centers on WhatsApp's processing of Instagram Reels content. The flaw allows remote threat actors to exploit unvalidated message elements within Reels shared through the platform. By manipulating these elements, attackers could force arbitrary URLs to execute on a victim's device without proper validation or user consent.
The technical issue stems from insufficient input validation when WhatsApp processes Instagram Reels metadata and embedded links. When a malicious Reel is shared through WhatsApp, the application fails to properly sanitize certain message components, allowing attackers to inject and trigger unauthorized URLs. The second vulnerability involves file disguising capabilities, though specific technical details about this flaw remain limited in available reporting.
The vulnerabilities pose significant risks to WhatsApp’s user base, which numbers in the billions globally. Successful exploitation could lead to phishing attacks, malware distribution, or redirection to malicious websites. The remote nature of the Instagram Reels vulnerability is particularly concerning, as it requires no physical access to target devices and could potentially be deployed at scale through social engineering tactics.
Meta has deployed patches through standard WhatsApp updates to address both vulnerabilities. Users should immediately update their WhatsApp applications to the latest version available through their device’s app store. Organizations using WhatsApp for business communications should prioritize these updates and remind employees to exercise caution when interacting with Instagram Reels shared through the platform, even from known contacts, until updates are confirmed installed.
Source: https://gbhackers.com/whatsapp-security-flaw-enables-malicious-url-execution/