WhatsApp urges update after 'serious' security breach
Last updated on: 14 May,2019 08:58 pm
he firm did not comment on the number of users affected or who targeted them, and said it had reported the matter to US authorities.
SAN FRANCISCO (AFP) - WhatsApp on Tuesday encouraged its users to upgrade the app to plug a security breach that allowed sophisticated attackers to sneak spyware into phones, in the latest trouble for its parent Facebook.
The vulnerability -- first reported by the Financial Times, and fixed in the latest WhatsApp update -- allowed hackers to insert malicious software on phones by calling the target using the app, which is used by 1.5 billion people around the world.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," a spokesperson said in a statement to AFP.
The FT cited a spyware dealer as saying the tool was developed by a shadowy Israel-based firm called the NSO Group, which has been accused of helping governments from the Middle East to Mexico snoop on activists and journalists.
And security researchers said the malicious code bore similarities to other tech developed by the firm, according to The New York Times.
The latest exploit - which impacts Android devices and Apple’s iPhones, among others - was discovered earlier this month and WhatsApp scrambled to fix it, rolling out an update in less than 10 days.
The firm did not comment on the number of users affected or who targeted them, and said it had reported the matter to US authorities.
It also informed authorities in Ireland about the "serious security vulnerability", according to a statement by the country’s Data Protection Commission (DPC).
"The DPC is actively engaging with WhatsApp Ireland to determine if and to what extent any WhatsApp EU user data has been affected," it said.
It echoed WhatsApp in encouraging users to update the app, as "the possibility remains that EU users were affected".
The breach is the latest in a series of issues troubling WhatsApp’s parent Facebook, which has faced intense criticism for allowing its users’ data to be harvested by research companies and over its slow response to Russia using the platform as a means to spread disinformation during the 2016 US election campaign.
- Highly invasive software -
The WhatsApp spyware is sophisticated and "would be available to only advanced and highly motivated actors", the company said, adding that a "select number of users were targeted".
"This attack has all the hallmarks of a private company that works with a number of governments around the world" according to initial investigations, it added, but did not name the firm.
WhatsApp has briefed human rights organizations on the matter, but did not identify them.
The Citizen Lab, a research group at the University of Toronto, said in a tweet it believed an attacker tried to target a human rights lawyer as recently as Sunday using this flaw, but was blocked by WhatsApp.
The NSO Group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates. Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target’s phone camera and microphone, and access data on it.
The firm said Tuesday that it only licenses its software to governments for "fighting crime and terror".
The NSO Group "does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions", it said in a statement to AFP.
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system."
Here are some previous cases of a similar kind.
- Yahoo, billions hacked - In what is considered the biggest cyberattack in history, a 2013 hack affected all three billion accounts at Yahoo.
Another attack on Yahoo, blamed on Russian hackers, affected some 500 million accounts in 2014, with stolen data including usernames, email addresses and birthdates.
It was only revealed in September 2016 and resulted in fine of $35 million in 2018 for its then-financial arm, Altaba.
- Taking aim at Target -
The US retail giant was hit by a computer attack in 2013 that affected 110 million clients.
Seventy million might have lost personal data including names, addresses, phone numbers and e-mail accounts, while 40 million bank accounts and credit cards were also put at risk.
- Password plunder - In 2014 online data protection firm Hold Security claimed that Russian hackers had accessed 1.2 billion passwords linked to 420,000 internet sites around the world, from corporate giants to individual accounts.
Hold Security pointed to a group of hackers called "CyberVor", which it said had potentially gained access to 500 million e-mail accounts.
- South Korea panic -
In 2014 the personal data of at least 20 million bank and credit card users in South Korea was leaked in one of the country’s biggest ever breaches.
An employee from personal credit ratings firm Korea Credit Bureau (KCB) had stolen the data from customers of three credit card firms and sold it to phone marketing companies.
- Hottest hack - In 2015 hackers calling themselves The Impact Team published nearly 30 gigabytes of files including the names and sexual orientation of people who had signed up with Ashley Madison, a website facilitating extra-marital affairs.
The company’s boss stepped down as several suicides in the United States and Canada were linked to the revelations.
Ashley Madison had earlier offered to delete users’ personal data for a modest fee but did not.
- Uber off the road - The ride-sharing giant was vilified after the hacking in 2016 of data on 57 million of its riders and drivers, unveiled only in November 2017.
It was also criticized for paying the hackers $100,000 to destroy their booty.
Uber was fined $148 million for covering up the fraud, and was also prosecuted in The Netherlands and Britain.
- Equifax loses credit -
A breach by major American credit agency Equifax in 2017 might have affected more than 147 million US clients, plus others from Canada and Britain.
The company was sued for having identified but not corrected the breach, having insufficient security systems and delaying reporting the problem.
- Facebook under fire -
In 2018 hackers exploited a trio of software flaws to access the personal data of 29 million Facebook users, getting hold of names, phone numbers and email addresses.
The breach sparked renewed criticisms of Facebook after it acknowledged that tens of millions of users had their personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.
- Intrusion at Marriott -
Global hotel giant Marriott International said in November 2018 up to 383 million guests may have been victims of a hack, involving five million passport numbers and less than 2,000 credit card numbers.
US Secretary of State Mike Pompeo blamed China.