NEW DELHI: An Indian cyber security agency has warned WhatsApp users against a “vulnerability” that can compromise their individual account without seeking permissions even as the popular social messaging app said users have not been impacted.
The Computer Emergency Response Team-India (CERT-In) has issued an advisory in this context calling the severity of the threat, being spread by an MP4 file, as “high.” The advisory comes in the backdrop of recent developments where WhatsApp had informed the Indian government in September that over hundred Indian users were targeted by the Israeli spyware — Pegasus.
“A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system,” the latest advisory said.
The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain.
A WhatsApp spokesperson said the company is constantly working to improve the security of their service. “We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted,” the spokesperson said. The Indian cyber security agency’s advisory suggested “upgrading” to the latest version of WhatsApp to combat or tide over the problem.
“The exploitation does not require any form of authentication from the victim’s end and executes on downloading of malicious crafted mp4 file on victim’s system,” it said.
WhatsApp regrets
WhatsApp has written to the government expressing regret over the Pegasus snooping row, and has assured that it is taking all security measures to address concerns, top government sources said. The sources, who requested not to be named, said the government has asked WhatsApp to reinforce its security wall, and that no more breaches at the messaging platform will be tolerated.
Last month, the Facebook-owned company had showed that Indian journalists and human rights activists were among those globally spied upon by unnamed entities using Pegasus spyware. (PTI)
