India’s cyber security agency CERT-In has issued a warning to the users of the popular instant messaging app WhatsApp, about certain vulnerabilities. These vulnerabilities could lead to a breach of sensitive information of WhatsApp users. WhatsApp is having a terrible month—and it’s not getting any better. Not only did an account suspension hack make headlines around the world, but other serious flaws have also just been reported. This should serve as a warning for WhatsApp’s 2 billion users to be wary of how they use the app.
The CERT-In is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens security-related defense of the Indian Internet domain.
A “high” severity rating advisory was issued by the CERT-In or the Indian Computer Emergency Response Team. It said that the vulnerability has been detected in software that has “WhatsApp and WhatsApp Business for Android prior to v188.8.131.52 and WhatsApp and WhatsApp Business for iOS prior to v2.21.32.” The CERT-In is the national technology arm to combat cyber attacks and guard the Indian cyber space.
"Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system," the advisory issued on Saturday said.
Describing the risk in detail, it said that these vulnerabilities "exist in WhatsApp applications due to a cache configuration issue and missing bounds check within the audio decoding pipeline."
"Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code or access sensitive information on a targeted system," it said.
WhatsApp is at something of a pivot point. Next month, its new terms of service come into effect, enabling Facebook to increase its monetization of the platform. This prompted the backlash in January, and will no doubt see more of the same next month, when account restrictions become effective. Meanwhile, there are legal challenges for WhatsApp and its parent Facebook to contend with. The lack of backup encryption—which is reportedly being fixed—is one major feature gap for WhatsApp, as is the lack of multi-device options, also reportedly being addressed.
One of Germany’s toughest data regulators is also seeking an administrative order that would stop Facebook Inc. from collecting user data from its WhatsApp unit. The regulator in the city of Hamburg is seeking an “immediately enforceable order” before May 15 over concerns that policy changes could lead to the use of such data for wider marketing and advertising purposes.
WhatsApp should be applauded for expanding the use of end-to-end encryption to billions of users around the world. But what happens in the next few months is very critical. For the first time, it has genuine competition—Signal is every bit as good to use, albeit much smaller, and Telegram has scale, albeit key security weaknesses. But the network effect around these other apps is now creating real alternatives.
Coming back to the CERT-In warning, advisory had stated that WhatsApp users should update to the latest version of the app from the Google Play Store or iOS App Store in order to counter this vulnerability threat.