Another Pegasus-like spyware found targeting WhatsApp with MP4 files
New Delhi: If you have received an MP4 video file on WhatsApp from an unknown number, you could be a victim of a new kind of hacking which uses a recently discovered vulnerability of WhatsApp to install malicious spywares in phones.
This security vulnerability allowed a remote attacker to target phones by sending a video file in MP4 format.
When notified about the security breach, the Indian Computer Emergency Response Team (CERT) categorised the threat under "High Severity" category.
Pegasus-like features
Israel-based spyware maker NSO Group was under spotlight recently for allegedly providing technology [Pegasus spyware] that used WhatsApp's video calling feature to attack user's phones.
A security message notified by WhatsApp's parent company Facebook said, "A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user."
Identified as CVE-2019-11931, this vulnerability message is similar to the one received by CERT from WhatsApp during the Pegasus snooping case.
According to the communication, this weakness could allow a remote attacker to force "Denial of Services (DoS) and Remote Code Execution (RCE)" which could be used to compromise any device running Android, iOS or Windows.
An attacker could use a person's cell number to send a video file through WhatsApp and install an unwanted program in their phones exploiting such vulnerability.
This security issue exists on both individual and business versions of the popular messaging app until the updates were rolled out in October earlier this year.
Although the latest security patch from WhatsApp claims to have fixed this problem, WhatsApp and Facebook have not given further details about the extent of possible execution of this exploit.
This comes even as the controversy around WhatsApp snooping refuses to die down, where phones of over a dozen activists, journalists and lawyers were allegedly compromised by an Israel-made spyware.
WhatsApp has been under fire for not providing adequate information to Indian authorities about the extent of attacks during Pegasus breach. The messaging app has sued NSO Group in a US court for violating its terms and conditions.
Government sources had earlier claimed that the information provided by WhatsApp is more of a "technical jargon" which didn't give much information about victims and extent of such attacks. WhatsApp had informed users separately about possible Pegasus attack on their devices.
Similar to the Pegasus incident, this vulnerability is also being called "a stack-based buffer overflow vulnerability".
According to CERT, "The exploitation does not require any form of authentication from the victim end and executes on downloading of malicious mp4 file on victims system."
Courtesy: www.indiatoday.in
Let the Truth be known. If you read VB and like VB, please be a VB Supporter and Help us deliver the Truth to one and all.
Chhattisgarh Vedanta power plant blast: Death toll rises to 20; sixteen workers undergoing treatment
Sakti (Chhattisgarh) (PTI): The death toll in a blast at the Vedanta power plant in Chhattisgarh's Sakti district has mounted to 20 with seven more workers succumbing to injuries, while 16 others are undergoing treatment at different hospitals, officials said on Wednesday.
The deceased include six labourers from West Bengal, five from Chhattisgarh, three each from Jharkhand and Uttar Pradesh, two from Bihar, and one from Madhya Pradesh.
The opposition Congress has demanded registration of an FIR against the plant management and a judicial inquiry into the incident.
The explosion occurred on Tuesday afternoon in a steel tube carrying high-pressure steam from the boiler to the turbine at the Vedanta Ltd power plant located in Singhitarai village, leaving several workers with severe burn injuries.
According to officials, four workers died on the spot, while nine others succumbed to injuries soon after the incident.
Seven more workers have died in hospitals, raising the toll to 20, Sakti Collector Amrit Vikas Topno told PTI on Wednesday.
He said that a total of 36 workers were affected in the blast, and 20 of them died.
"Of the 16 injured workers, five are undergoing treatment in hospitals in Raipur, while 11 others are in hospitals of Raigarh, the neighbouring district of Sakti," he added.
Topno added that every possible effort was being made to provide the best medical treatment to the injured.
The deceased were identified, and their family members are being contacted. Arrangements have been made to transport the mortal remains to their native villages via ambulance following the postmortem examination and to provide immediate financial assistance, he said.
Chief Minister Vishnu Deo Sai has announced a compensation of Rs 5 lakh to the families of each deceased worker and Rs 50,000 for those injured.
Vedanta Power has also announced a Rs 35 lakh compensation for the family of each deceased worker, along with employment support.
The company will also provide Rs 15 lakh to each injured person, ensure salary continuation until recovery, and offer counselling support, a statement from the plant management said.
The chief minister has ordered an inquiry by the Commissioner of the Bilaspur division, assuring strict action against the guilty.
He directed officials to ensure free and proper medical treatment for all injured and emphasised that no negligence in their care would be tolerated.
The district administration has also ordered a separate magisterial probe, while the company has initiated its own internal investigation.
Collector Topno has appointed the Sub-Divisional Magistrate (SDM) of Dabhra to conduct the magisterial inquiry.
The SDM has been asked to submit a report within 30 days covering key aspects, including the cause of the accident, whether it was due to technical or human error, and details of safety inspections carried out at the plant.
Meanwhile, the opposition Congress has demanded registration of an FIR against the plant management and a judicial inquiry into the incident.
State Congress communication wing head Sushil Anand Shukla on Wednesday alleged negligence on the plant management's part and accused the government of attempting to shield those responsible.
He also demanded compensation of Rs 1 crore for the families of the deceased and Rs 50 lakh for the injured.
The construction of a 1,200 MW coal-based thermal power project (two units of 600 MW each) in Singhitarai, originally owned by Athena Chhattisgarh Power Ltd, started in 2009, but remained stalled between 2016 and 2022.
Vedanta acquired the plant in 2022, after which a 600 MW unit was completed and commissioned in August last year, while the second unit is still under construction.
The deceased have been identified as Amrit Lal Patel, Thanda Ram Lahre, Udhab Singh Yadav, Rameshwar Mahilange, and Nadeem Ansari (all from Chhattisgarh); Susanta Jana, Sheikh Saifuddin, Manas Giri, Kailash Mahto, Shibnath Murmu, and Dipankar Singh (West Bengal), Tarun Kumar Ojha, Abdul Karim and Ashok Parhiya (Jharkhand), Raju Ram, Pappu Kumar and Brijesh Kumar (Uttar Pradesh), Aakib Khan and Ritesh Kumar (Bihar), and Chitranjan Dhulai of Madhya Pradesh, officials said.
