Maria Montero

WhatsApp claims it informed authorities about the vulnerability in …

In response to allegations of privacy breaches by various Indian WhatsApp users using Israeli surveillance software Pegasus, the Facebook-owned messaging company claimed on Friday that it had informed the Government of India about the vulnerability of its software in May 2019.

The Pegasus spyware was used to spy on journalists, activists and lawyers in India and 1,400 worldwide. First comment has confirmed that 20 people were affected by spyware.

In a statement, WhatsApp said: “Our highest priority is the privacy and security of WhatsApp users. In May, we quickly resolved a security issue and notified the relevant Indian and international government authorities. Since then, we have worked to identify specific users to ask the courts will hold the international spyware firm known as NSO Group responsible. “

According to a vulnerability note published in CERT-IN, a government agency charged with the “objective of securing Indian cyberspace”, CERT-IN was aware of the vulnerability in May 2019.

CERT-IN belongs directly to the Ministry of Electronics and Information Technology, headed by Ravi Shankar Prasad.

However, government sources said AND ME that “the communication was purely technical jargon with no mention of Israeli Pegasus or the extent of the violation.”

What does the CERT-IN vulnerability note say?

On May 17, 2019, CERT-IN published a vulnerability note (CIVN-2019-0080) related to WhatsApp on its website with a severity rating of “HIGH”. He said:

“A vulnerability has been reported in WhatsApp that could be exploited by a remote attacker to execute arbitrary code on the affected system.”

Under a subtitle “description”, the note provides a detailed explanation of what the vulnerability is about. It reads:

“This vulnerability exists in WhatsApp due to a buffer overflow condition bug. A remote attacker could exploit this vulnerability by making a decoy WhatsApp voice call to a target user’s phone number and sending specially crafted series of SRTCP packets to the system. This could trigger a buffer overflow condition that leads to arbitrary code execution by the attacker.

“Successful exploitation of this vulnerability could allow the attacker to access information in the system, such as call logs, messages, photos, etc., which could further compromise the system.”

The last sentence of the note clearly defines what successful exploitation of the vulnerability it could allow.

The suggested solution to everyone was to update to the “latest version of WhatsApp”.

The note also shares a link to an advisory issued by Facebook, owner of WhatsApp, about the vulnerability and the versions of WhatsApp software that were affected by it. The notice, which was last updated on August 13, 2019, read: