Terming the WhatsApp's reply having "certain gaps", the Ministry of Electronics and Information Technology (MeitY) has decided to write to the company over its response to the government charges that the messaging company didn't inform it on time and with details that personal data of Indians were compromised by the spyware, while WhatsApp is learnt to have countered the government.
"WhatsApp has replied. We will be reaching out to them for many gaps in their reply. Everything in detail is not there. Definitely, we will be writing to them soon", said a senior IT Ministry official.
However, sources in WhatsApp said the company had responded to the government. The response was from the company's global office, they said without elaborating.
Sources said in response to the MeitY's notice for explanation on the breach, WhatsApp attached the vulnerability note it filed in May and the September letter to the government.
Thus, the Facebook-owned company is learnt to have countered the government charge that it didn't inform it about a privacy breach on the messaging platform.
It stated in the September letter that 121 Indians were compromised by the Israeli spyware Pegasus. WhatsApp didn't comment on details of its reply to MeitY.
"We are looking into their reply. When their ((WhatsApp) communications came on May 20, CERT had already issued a vulnerability report on May 17. We had taken action. Thus, their information had no relevance. Our stand on vulnerability on account of this has not changed since May 17. The government acted on information available elsewhere and CERTs of other countries, not on WhatsApp's information," said another official of the ministry.
The Ministry had asked WhatsApp to explain the breach. There was a revelation by WhatsApp that Indian jounalists and rights activists were among users targeted by an Israeli spyware. The disclosure followed a lawsuit filed in a San Francisco court last week where WhatsApp alleged that Israeli NSO Group targeted some 1,400 WhatsApp users with Pegasus.
CERT-In is the nodal agency for responding to computer security incidents. It collects, analyses and disseminates information of cyber incidents.
On May 17, CERT-In said vulnerability had been reported in WhatsApp, which could be exploited by a remote attacker to execute arbitrary code on the affected system. "This vulnerability exists in WhatsApp due to a buffer overflow condition error".
Giving a "high" severity rating, CERT-In suggested upgrade to latest version of WhatsApp.
WhatsApp has triggered enough political heat in India as two parliamentary standing committees - panels on home and information technology - are expected to seek details of the alleged breach from the government.