121 Indians may have been snooped: WhatsApp in September alert
What's the story
Even as Indian authorities previously claimed that WhatsApp failed to alert them about a privacy breach by Israeli spyware, the Facebook-owned company reportedly issued two notifications in May and September. According to reports, while the May alert informed authorities of the critical vulnerability, the September notification specified that 121 Indians may have been targeted by the Israeli company's spyware. Here are more details.
Breach
What was the privacy breach in WhatsApp?
In May, cybersecurity company Citizen Labs discovered a "buffer overflow condition error" in WhatsApp. It was alleged that the Israeli company NSO Group injected malicious spyware, Pegasus, when a user received a WhatsApp voice call, even if it went unanswered. The spyware was allegedly used to gain access to the user's WhatsApp messages/calls, regular calls, passwords, contacts, calendar, phone's microphone and camera, NDTV reported
Details
121 Indians may have been targeted; unclear if successfully hacked
On Sunday, sources familiar with the developments informed several news portals that 121 Indian users were targeted by the security breach. However, it was unclear how many among them were successfully hacked, Hindustan Times quoted a source in WhatsApp as saying. WhatsApp attached both May and September notes in response to a notice issued by the Information and Technology Ministry, The Indian Express reported.
Information
IT Ministry officials confirmed to have received WhatsApp's response: Report
In a Thursday notice, the IT Ministry had sought an explanation from the Facebook-owned company about the privacy breach till November 4, claiming that it had not been informed about it earlier. According to TIE, IT Ministry officials confirmed that they have received the response.
Quote
September alert doesn't specify impact: IT Ministry source
A Ministry source told TIE, "The letter says that it appears that some 121 people may have been affected but doesn't specifically say what the impact was. It doesn't tell who, what, where...identities which have now come out in the media." They added, "They've been trying to reach out to (those affected) through a Canadian group. Nowhere has the Indian government been involved."
May alert
Govt source described May alert as 'pure technical jargon'
Speaking about the May alert, a government source said on Friday that it was "pure technical jargon without any mention of Pegasus or the extent of the breach." Incidentally, some claimed that the May 17 notification apparently disappeared from the website of Cert-In, the IT Ministry's nodal agency dealing with cybersecurity threats. However, the vulnerability note, CIVN-2019-0080, was found live on Cert-In's website.
Quote
'Remote attacker could exploit vulnerability by making decoy WhatsApp call'
The notification on the website clearly states in part, "A remote attacker could exploit this vulnerability by making a decoy WhatsApp voice call to target a user's phone number and thereby sending specially crafted series of SRTCP packets to the target system."
History
WhatsApp sued NSO Group on Tuesday
On Tuesday, WhatsApp filed a lawsuit in a federal court in San Francisco, accusing the NSO Group of privacy breach in 20 countries, affecting 1,400 people worldwide. The lawsuit claimed that the Israeli firm helped governments across countries spy on diplomats, political dissidents, journalists, and government officials. NSO Group denied the allegations. Both WhatsApp and India, in separate statements, said they valued privacy.