(Reuters) – WhatsApp Inc. said on Tuesday that a security breach on its messaging program had signs of coming from a government using surveillance technology developed by a private company and may have targeted human rights groups.
WhatsApp, which is part of Facebook, said it had notified the US Department of Justice to help with a survey and urged all WhatsApp users to update to the latest version of the app where the infringement had been remedied.
WhatsApp, one of the most popular messaging tools in the world, is used by 1.5 billion people every month. It has adorned its high level of security and privacy, with messages on its platform being encrypted to the end so that WhatsApp and third parties cannot read or listen to them.
The company said it was still investigating the infringement but just believed in a "Select number of users targeted at this vulnerability by an advanced cyber actor."
But its advice to all users who updated came "was extremely cautious" and a recommendation from Citizen Lab, a research group at the University of Toronto.
A spokesman from WhatsApp said the attack was sophisticated and had all the hallmarks of a "private business dealing with surveillance governments."
Human Rights 1
"We work with human rights groups to learn as much as we can about who may have been affected by their society. That's where our greatest concern is," said the spokesman.
Citizen Lab tweeted: "We believe an attacker tried (and was blocked by WhatsApp) to exploit it as late as yesterday to address a human rights lawyer."
Ireland's Data Protection Commission, WhatsApp's Leading Governor of the European Union, said that WhatsApp had notified the agency late on Monday of a "serious security problem" on the platform.
"DP C understands that vulnerability may have allowed a malicious actor to install unauthorized software and access personal data on devices that have WhatsApp installed," the regulator said in a statement.
Cybersecurity experts said most users were unlikely to have been affected.
Scott Storey, Cyber Security Senior Lecturer at Sheffield Hallam University, believes that most WhatsApp users were not affected, as it appears to governments targeting specific people, primarily human rights actors.
"For the average end user, it's not something to really worry about," he said, adding that WhatsApp found the vulnerability and quickly fixed it. "This is not someone trying to steal private messages or personal information."
Story said revealing vulnerabilities was a good thing and would probably cause other services to go
The Financial Times initially reported on the WhatsApp vulnerability that allowed attackers to inject spyware on phones through the app's phone calls.
FT said the spyware was developed by the Israeli cyber surveillance company NSO Group Technologies Ltd. for their mobile monitoring tools – and affects both Android and iPhones.
Asked about the report, NSO said its technology is licensed to authorized authorities "for the sole purpose of combating crime and terror" and that it does not use the system itself with a strict licensing and wetting process.
"We investigate any credible allegations of abuse and, if necessary, we take action, including the closure of systems," the company said. "Under no circumstances would NSO be involved in the operation or identification of targets for its technology operated by the intelligence and law enforcement agencies only."
Facebook bought WhatsApp 2014 for $ 19 billion.
Facebook founder Chris Hughes wrote last week in The New York Times that employee Mark Zuckerberg had too much influence by controlling Facebook, Instagram and WhatsApp, three central communications platforms and urging the company to break up.
Facebook's shares were down about 1.1% in New York.