The recent vulnerability discovered in WhatsApp has once again brought into focus the selective approach the instant messaging app seems to adopt when it comes to its Indian consumers. The Hindu has learnt that WhatsApp knew about the vulnerability six months ago, but only put out an update four days ago.
The vulnerability, which has since been patched, can be exploited by sending a specially crafted MP4 file, which triggers a buffer memory overflow in the app, causing it to crash for a short period of time. This window can be used by those with malicious intent to install malware on the device. The malware can do anything from using the device for a denial of service attack to execute a remotely controlled code on the device.
The website of the National Vulnerablities Database, a repository of vulnerabilities maintained by the U.S. government, shows that the first update about the vulnerability was posted on May 14 and later modified on August 13. However, an update about it was released for Indian users on Facebook only on November 14.
Cyber police officials said this once again brings into focus the selective approach that WhatsApp adopts when it comes to regard for Indian laws and law enforcement agencies.
Indian police agencies have for long lamented the fact that WhatsApp never shares any data with them regarding the source of potentially problematic content shared on it.
In a statement shared with The Hindu on Tuesday, a spokesperson from the app said, “WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.”
No response to queries
WhatsApp, however, did not respond to The Hindu’ s query about it being aware of the vulnerability for six months. It also did not respond to an additional query about what mechanisms were in place to track whether any users are affected by any vulnerability, saying only that “we feel that the statement speaks to your questions.”
When contacted, Special Inspector General of Police Brijesh Singh, Maharashtra Cyber, said, “If WhatsApp follows U.S. rules in the U.S., and they have compulsory reporting standards, they should also inform all Indian citizens who might have been compromised.”