SUMMARY
WhatsApp’s voice call feature can be used to hack into a user’s device
WhatsApp has issued a security patch to fix the issue
An Israeli cybersecurity firm had developed the software used for the hack
Ministry of Electronics and Information Technology (MeitY) has asked for the details of the latest loophole in WhatsApp, which has put the personal information of the users at risk. The Indian government has asked for details such as the number of users affected and the steps taken by WhatsApp to address the issue.
A government official reportedly said that “We sent an email to WhatsApp asking them to explain the vulnerability and steps undertaken to address the situation.”
On May 13, Financial Times reported a bug in WhatsApp which left over 1.5 Bn users across the world vulnerable to spyware attack using WhatsApp’s calling function. The loophole allowed a hacker to inject spyware into the target phone thus putting all information on the device at risk of theft and misuse.
The spyware can be injected into the target phone with a simple voice call on WhatsApp and will be installed on the victim’s phone without even answering the call. Once injected, the spyware will have the iOS or the Android phone at its grip and any information, such as emails, text messages and contact list can be retrieved by the hacker.
A spy software named as Pegasus was used to create the bug to exploit WhatsApp’s security loophole. Pegasus was created by an Israeli cybersecurity firm known as the NSO Group. Pegasus software was allegedly also used to spy over Washington Post reporter Jamal Khashoggi whose murder became a global headline.
The website of NSO Group claims that their products help government intelligence and law-enforcement agencies use technology to meet the challenges of encryption to prevent and investigate terror and crime.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” NSO was quoted as saying by the Financial Times.
The affected versions of WhatsApp are as follows:
WhatsApp Business for Android prior to v2.19.44
WhatsApp for iOS prior to v2.19.51
WhatsApp Business for iOS prior to v2.19.51
WhatsApp for Windows Phone prior to v2.18.348
WhatsApp for Tizen prior to v2.18.15
The bug, classified as a CVE (common vulnerabilities and exposure) is numbered as CVE-2019-3568 and according to the information on Playstore, was fixed by WhatsApp through a security patch. A WhatsApp spokesperson said, “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”
Facebook also issued a statement in relation to the bug classifying and the bug and listing the affected versions of WhatsApp. “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number,” the Facebook classification of the bug said.
