New Delhi: An Indian cyber security agency has warned WhatsApp users against a "vulnerability" that can compromise their individual account without seeking permissions even as the popular social messaging app said users have not been impacted.
The Computer Emergency Response Team-India (CERT-In) has issued an advisory in this context calling the severity of the threat, being spread by an MP4 file, as "high."
Last month, the Facebook-owned company had showed that Indian journalists and human rights activists were among those globally spied upon by unnamed entities using Pegasus spyware.
According to WhatsApp, the spyware was developed by Israel-based NSO Group and had been used to snoop on about 1,400 users globally, including 121 users from India.
Following the government's notice seeking more information on the attacks, WhatsApp had responded saying it had alerted the Indian Computer Emergency Response Team (CERT-In) in September that 121 Indian users had been targeted by Pegasus.
"A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system," the latest advisory said.
The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain.
A WhatsApp spokesperson said the company is constantly working to improve the security of their service.
"We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted," the spokesperson said.
The Indian cyber security agency's advisory suggested "upgrading" to the latest version of WhatsApp to combat or tide over the problem.
Describing the malicious action of the vulnerability in the popular social messaging app (application), it said, "A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary stream metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system."
It added that this could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker.
"The exploitation does not require any form of authentication from the victim's end and executes on downloading of malicious crafted mp4 file on victim's system," it said.
Successful exploitation of this vulnerability, it said, could allow the remote attacker to cause remote code execution (RCE) or denial of service (DoS) condition, which could lead to further compromise of the system.
It stated half-a-dozen WhatsApp software have been "affected" by the current vulnerability.
They have been identified as WhatsApp for Android prior to 2.19.274, WhatsApp for iOS prior to 2.19.100, WhatsApp Enterprise Client prior to 2.25.3, WhatsApp for Windows Phone prior to 2.18.368, WhatsApp Business for Android prior to 2.19.104 and WhatsApp Business for iOS prior to 2.19.100.
WhatsApp expresses 'regret' over Pegasus snooping row
WhatsApp has written to the government expressing "regret" over the Pegasus snooping row, and has assured that it is taking all security measures to address concerns, top government sources said.
The sources, who requested not to be named, said the government has asked WhatsApp to reinforce its security wall, and that no more breaches at the messaging platform will be tolerated.
A WhatsApp spokesperson, in an e-mailed statement, said the company is deeply committed to protecting the privacy of its users in India "by providing industry-leading security for all messages and calls and by staying ahead of advanced threats to user security".
WhatsApp has over 400 million users in India.
"The government also plays a critical role here and we are committed to continuing to engage them in a timely manner on sensitive issues related to user privacy and security. We regret that we have not met the government's expectations for proactive engagement on these issues and will strive to do better," the spokesperson said.
The spokesperson also noted that the company will work with the government to "address their appropriate concerns".
In response to a question in the Lok Sabha on Wednesday, IT Minister Ravi Shankar Prasad said Cybersecurity agency CERT-In has issued a notice to WhatsApp seeking details on targeting of mobile phones of Indian citizens by Israeli spyware Pegasus.
Parliament panel votes in favour of taking up WhatsApp snooping issue
A meeting of a parliamentary committee, headed by Congress leader Shashi Tharoor, was marked by sharp differences among its members over whether to take up the WhatsApp snooping issue or not, and the panel discussed the matter only after a vote in the favour.
Sources said the casting vote of Tharoor in favour of taking up the issue, which has become a political row with opposition members raising the matter in Parliament, sealed a long-heated discussion, with secretaries to Home, and Electronics and Information Technology ministries being kept waiting for over two hours.
With the panel members unable to arrive at a conclusion, votes were cast.
Tharoor had earlier written a letter to the members of the Parliamentary Standing Committee on Information Technology, saying the alleged use of technology for snooping on Indian citizens was a matter of "grave concern" and it would be discussed at its meeting on Wednesday.
Senior government officials briefed its members on the issue of "Citizens' data security and privacy".
(With PTI inputs)
