WhatsApp vulnerability exposed civil rights promoters to hacking attempts

WhatsApp discovered the vulnerability earlier this week and has issued a security advisory asking its users to update the app

WhatsApp discovered the vulnerability earlier this week and has issued a security advisory asking its users to update the app

It is not immediately clear if the calling flaw could be exploited to shuttle in other malicious code or if it relied on factors introduced by NSO or their clients.

The vulnerability deals with the voice over IP (VoIP) function on WhatsApp, which can enable internet-based voice calls.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date", the spokesperson said in an email.

WhatsApp said that the vulnerability was discovered this month and that the company quickly addressed the problem within its own infrastructure, publishing an update on Monday.

"The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15". "We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society".

WhatsApp engineers were working to close the vulnerability Sunday night and issued a patch for customers on Monday, the Financial Times reported. The company also belives that only a relatively small number of users were targeted by the attack. Prosecutors in the USA have been alerted. The spyware could be transmitted even if the target victim didn't answer their phone, and the calls often disappeared from users' call logs. The company told the FT that it was investigating the WhatsApp attacks. The Israeli outfit, valued at $1bn, sells a highly capable spyware package, dubbed Pegasus, to governments around the world, ostensibly only allowing the suite to be used to snoop on and snare criminals and terrorists.

That makes the discovery of the vulnerability particularly disturbing because one of the targets was a United Kingdom -based human rights lawyer, the attorney told the AP. However, the exploit developers denied any shenanigans. "The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions", NSO Group said. NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual. The lawyer, who was not identified by name, is involved in a lawsuit against NSO brought by a group of Mexican journalists, government critics and a Saudi Arabian dissident.