Major Security Flaw Opens Facebook's WhatsApp Messenger to Spyware

A major security flaw in Facebook’s WhatsApp messaging program allowed hackers to remotely install surveillance software on both Apple and Google Android devices has been discovered.

The Financial Times reports that encrypted messaging service WhatsApp, which is owned by tech giant Facebook, had a particularly worrying security flaw which allowed hackers to install surveillance software on phones and other devices. The coordinated hacking attempts targeted a “select number” of users and were planned by “an advanced cyber actor,” according to the report.

The Financial Times alleges that the surveillance software used by hackers was developed by the Israeli security firm NSO Group; the vulnerability was first discovered in May and WhatsApp has suggested that all of its 1.5 billion users update their apps in order to receive a fix for the issue which was released on Friday. Faebook has advertised WhatsApp as a secure messaging app due to the fact that messages sent are end-to-end encrypted, meaning only the recipient and sender of messages should be able to view them in a readable format.

But the surveillance bug would have allowed an attacker to read messages sent between users easily. Ahmed Zidan from the non-profit Committee to Protect Journalists posted a tweet urging “journalists, lawyers, activists & human rights defenders,” to update their WhatsApp apps as they could easily be targeted by the attack. Some sources are claiming that the DNC has alerted the staffs of 2020 Democratic campaigns to update WhatsApp as well.

The attack involved using WhatsApp’s voice call system to ring a target’s device. Even if the target did not answer the call, the surveillance software could be installed on their device. In a briefing document given to journalists, WhatsApp stated: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”

WhatsApp published an advisory to security specialists, describing the vulnerability as: “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”

According to Professor Alan Woodward from the University of Surrey, this is a “pretty old-fashioned” method of attack. Woodward stated: “In a buffer overflow, an app is allocated more memory than it actually needs, so it has space left in the memory. If you are able to pass some code through the app, you can run your own code in that area. In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently, you did not need to answer the call for the attack to work.”

BBC News published a guide on updating WhatsApp which can be read below:

How do I update WhatsApp?

Android

  • Open the Google Play store
  • Tap the menu at the top left of the screen
  • Tap My Apps & Games
  • If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
  • If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
  • The latest version of WhatsApp on Android is 2.19.134

iOS

  • Open the App Store
  • At the bottom of the screen, tap Updates
  • If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
  • If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
  • The latest version of WhatsApp on iOS is 2.19.51

WhatsApp stated that it is currently too early to determine how many people were targeted by the attack or how long the vulnerability was present in the app. WhatsApp has not clarified whether the attack could extend beyond the WhatsApp app on users phones into other apps such as emails, calls, and photos. Breitbart News will continue to update readers on the situation.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or email him at lnolan@breitbart.com