ADVERTISEMENT

WhatsApp hid vulnerability for 6 months

November 20, 2019 01:09 am | Updated 01:12 am IST - Gautam S. Mengle Mumbai

Indian government only informed on November 14, while U.S. database has an entry from May 14

Gautam S. Mengle

The recent vulnerability discovered in WhatsApp has once again brought into focus the selective approach the instant messaging app seems to adopt when it comes to its Indian consumers. The Hindu has learnt that WhatsApp knew about the vulnerability six months ago, but only put out an update four days ago.

The vulnerability, which has since been patched, can be exploited by sending a specially crafted MP4 file, which triggers a buffer memory overflow in the app, causing it to crash for a short period of time. This window can be used by those with malicious intent to install malware on the device. The malware can do anything from using the device for a denial of service attack to execute a remotely controlled code on the device.

The website of the National Vulnerablities Database, a repository of vulnerabilities maintained by the U.S. government, shows that the first update about the vulnerability was posted on May 14 and later modified on August 13. However, an update about it was released for Indian users on Facebook only on November 14.

ADVERTISEMENT

Cyber police officials said this once again brings into focus the selective approach that WhatsApp adopts when it comes to regard for Indian laws and law enforcement agencies.

Sign up for newsletters, unlock features and do more on The Hindu
LOG IN
Support our reporting.
SUBSCRIBE NOW

Indian police agencies have for long lamented the fact that WhatsApp never shares any data with them regarding the source of potentially problematic content shared on it.

In a statement shared with

ADVERTISEMENT

The Hindu on Tuesday, a spokesperson from the app said, “WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.”

ADVERTISEMENT

No response to queries

WhatsApp, however, did not respond to The Hindu’ s query about it being aware of the vulnerability for six months. It also did not respond to an additional query about what mechanisms were in place to track whether any users are affected by any vulnerability, saying only that “we feel that the statement speaks to your questions.”

When contacted, Special Inspector General of Police Brijesh Singh, Maharashtra Cyber, said, “If WhatsApp follows U.S. rules in the U.S., and they have compulsory reporting standards, they should also inform all Indian citizens who might have been compromised.”

This is a Premium article available exclusively to our subscribers. To read 250+ such premium articles every month
unlock them all
SUBSCRIBE NOW
If you're already a subscriber
You have exhausted your free article limit.
Please support quality journalism.
SUBSCRIBE NOW
or read this article by Downloading The Hindu News app
If you're already a subscriber
You have exhausted your free article limit.
Please support quality journalism.
SUBSCRIBE NOW
or read this article by Downloading The Hindu News app
If you're already a subscriber
The Hindu operates by its editorial values to provide you quality journalism.
Support our reporting.
SUBSCRIBE NOW
This is your last free article.
to read unlimited content from The Hindu
SUBSCRIBE NOW
Get The Hindu News App on
Get The Hindu News App on

Related Topics

Mumbai / cyber crime

ADVERTISEMENT

ADVERTISEMENT

To enjoy additional benefits

Make most of your subscription

Crossword+

CONNECT WITH US