Marking WhatsApp’s greatest security breach to date, the Facebook-owned messaging service just repaired what it’s calling a “serious security vulnerability.”
Although the timeline of the breach remains unclear, the vulnerability apparently allowed bad actors to install high-end spyware on the phones of WhatsApp users.
The spyware — NSO Group’s Pegasus — is popular among government spy agencies, according to a report in the Financial Times.
Partly due to the sophisticated nature of the operation, Facebook has referred the breach to the U.S. Department of Justice, along with a number of government regulars around the world.
Reached for comment, a WhatsApp spokesperson said user security is a top priority for the Facebook unit. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users,” the spokesperson said.
WhatsApp is not ready to estimate how many of its roughly 1.5 billion users might have been impacted by the vulnerability.
Pegasus, NSO Group’s flagship spy software, has the power to activate a phone’s microphone and camera, search through emails and messages, and even track location data.
Security blunders have become a regular occurrence for Facebook and its network of platforms. Most recently, the tech titan admitted the passwords of millions of Instagram users might have been exposed to its own employees.
Yet, the idea that foreign governments might be using WhatsApp to spy on users makes Facebook’s other security breaches appear quaint by comparison.
Making matters worse for Facebook, Mark Zuckerberg just recently unveiled an ambitious plan to redefine private, encrypted messaging platforms.
Still in development, the new offering will “focus on the most fundamental and private use case — messaging — make it as secure as possible, and then build more ways for people to interact on top of that,” Facebook’s cofounder-CEO said at the time.
The announcement confirmed a recent story in The New York Times, which reported Facebook was integrating the infrastructures of Messenger, Instagram and WhatsApp in order to enable end-to-end encryption across its network of properties.
This latest security snafu doesn’t bode well for the future of such an integrated service.