Facebook-owned chat messaging service WhatsApp has fixed a massive data vulnerability that left its over 1.5 Bn users at risk from malicious spyware. The data vulnerability which could have led to breaches and unauthorised malware installation has seemingly been present on WhatsApp for a number of years.
The bug was first reported by the Financial Times, which said that the vulnerability allowed attackers to inject spyware on phones with WhatsApp by using the app’s voice call function. The attack allowed hackers to surreptitiously install apps in the background during a voice call.
The report added that the spyware was developed by Israeli cyber surveillance company NSO Group. However, in a statement, NSO said its technology is licensed to authorised government agencies “for the sole purpose of fighting crime and terror”. The company added that it does not operate the system itself and also has a rigorous licensing and vetting process.
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” NSO was quoted as saying.
Spyware Installed During Voice Calls
The malicious spyware affected WhatsApp on both Android and iOS. However, the extent of the damage couldn’t be ascertained even though WhatsApp claimed that it fixed the issue within 10 days. However, considering that voice calling has been around on WhatsApp since 2014, the vulnerability could have already been exploited in the real world.
The company claimed its engineers worked around the clock in San Francisco and London to plug the vulnerability. Further, WhatsApp also started to roll out a fix last week and issued a patch for customers yesterday (May 13, 2019). It has urged all customers and users to update to the most recent version of the app through Google Play or Apple App Store.
A WhatsApp spokesperson said, “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”
WhatsApp Investigating The Data Breach
WhatsApp disclosed the issue to the US Department of Justice last week. Further, it also informed its lead regulator in the European Union, Ireland’s Data Protection Commission (DPC), of a “serious security vulnerability” on its platform.
In a statement, the body said, “The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed.” It added that it’s actively engaging with WhatsApp Ireland to determine the extent of damage.
Even though the impact of vulnerability remains unclear, it’s not the best time for Facebook to be dealing with another major data controversy. After more than one year of continued data breaches and data concerns on a global level around its main social media platform, this is Facebook’s biggest security gaffe around WhatsApp.