In the ongoing tussle between the government and Facebook-owned instant messaging service WhatsApp over Israeli malicious software being used to spy on some Indian citizens, government sources said late Friday evening that WhatsApp had not disclosed to Indian authorities full information about the video calling vulnerability.
“WhatsApp had given information to CERT-IN, a government agency as seen in the attached image in May. As is seen in the image, it is a communication in pure technical jargon without any mention of Pegasus or the extent of breach. Thus, the information shared was only about a technical vulnerability but nothing on the fact that privacy of Indian users had been compromised,” said a government source.
The image referred to was a security alert from the Computer Emergency Response Team of India (CERT-In), which was published in May.
“A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the affected system... Successful exploitation of this vulnerability could allow the attacker to access information on the system such as call logs, messages, photos, etc, which could lead to further compromise of the system,” it said.
CERT-In is the national agency that keeps a tab on cyber incidents and cyberattacks in India.
On October 30, Will Cathcart, the head of WhatsApp, had written in an opinion piece in The Washington Post: “In May, WhatsApp announced that we had detected and blocked a new kind of cyberattack involving a vulnerability in our video-calling feature... Now, after months of investigation, we can say who was behind this attack. Today, we have filed a complaint in federal court that explains what happened and attributes the intrusion to an international technology company called NSO Group.”
The following day, it was reported that the vulnerability in WhatsApp had been exploited to target journalists and activists in India as well.
Pegasus is a malicious software developed and sold to governments by NSO Group. It was used to hack into Apple devices running certain versions of iOS, first reported about in 2016.
The government has asked WhatsApp to explain by November 4 how the breach occurred and how the privacy of Indian citizens was compromised.