Responding to allegations over breach of privacy of several Indian users on WhatsApp using Israeli surveillance software Pegasus, the Facebook-owned messaging company on Friday said that it had informed the authorities in India about the vulnerability in its software in May 2019.
The Pegasus spyware was used to spy on 1,400 individuals worldwide, including journalists, activists and lawyers in India. Firstpost has confirmed that 20 individuals in India were affected by the spyware.
In a statement, WhatsApp said, “Our highest priority is the privacy and security of WhatsApp users. In May, we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable.”
Based on a May 2019 vulnerability note published on the official website of CERT-IN, a government agency tasked with the “objective of securing Indian cyberspace”, CERT-IN was aware of the vulnerability.
CERT-IN falls directly under the Ministry of Electronics and Information Technology, headed by Ravi Shankar Prasad.
However, government sources told ANI that the “communication was in pure technical jargon without any mention of Israeli Pegasus or the extent of the breach”.
What does the CERT-IN vulnerability note say
On 17 May 2019, CERT-IN published a vulnerability note — CIVN-2019-0080 — related to WhatsApp on its website with a severity rating of “high”. It said:
“A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the affected system”.
Under a subhead “description”, the note gives a detailed explanation of what the vulnerability is about. It reads:
“This vulnerability exists in WhatsApp due to a buffer overflow condition error. A remote attacker could exploit this vulnerability by making a decoy WhatsApp voice call to a target user’s phone number and thereby sending specially crafted series of SRTCP packets to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker.
“Successful exploitation of this vulnerability could allow the attacker to access information on the system such as call logs, messages, photos, etc which could lead to further compromise the system.”
The last sentence of the note, mentions what successful exploitation of the vulnerability could allow.
The solution suggested to all was to upgrade to the “latest version of WhatsApp”.
The note also shares a link to a Facebook advisory, which mentions the vulnerability and versions of the WhatsApp software that were affected by it. The advisory, which was last updated on 13 August 2019, said:
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number”.
This advisory doesn’t mention the “Pegasus spyware”, however, CERT-IN shared few links along with details about the vulnerability in the note.
One such link points to a news website called HackerNews, which mentions Pegasus. It says: “Discovered, weaponised and then sold by the Israeli company NSO Group that produces the most advanced mobile spyware on the planet, the WhatsApp exploit (read vulnerability) installs Pegasus spyware on to Android and iOS devices.”
An archive of the URL’s history in the Wayback Machine shows that “Pegasus spyware” was mentioned in the article when it was published on 15 May, 2019.
The report also says that “the victim would not be able to find out about the intrusion afterwards as the spyware erases the incoming call information from the logs to operate stealthily”.
Govt asks WhatsApp for explanation
The Centre on Thursday had sought an explanation from WhatsApp to explain the breach of privacy after the messaging platform informed several Indian users this week that they had been targetted by Pegasus earlier this year.
Union information technology minister Ravi Shankar Prasad Thursday said that the government is concerned at the breach of privacy of citizens of India and has sought a detailed explanation from the messaging platform.
“We have asked WhatsApp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens,” he tweeted.
According to reports, WhatsApp revealed that journalists and activists in India have been the target of surveillance by operators using the Israeli spyware Pegasus.
The messaging platform said that it had reached out to the people who were targetted, but declined to reveal the identities and “exact number” of those who were targeted.
With inputs from ANI