As you’re likely now aware, Facebook-owned messaging platform WhatsApp, which is used by more than 1.5 billion people around the world, has discovered a major security loophole which looks to have been exploited by an Israeli-based group that has a history of working with governments to steal data and spy on citizens through digital means.
As outlined by TechCrunch:
“The vulnerability was discovered by the Facebook-owned WhatsApp in early May – it apparently leveraged a bug in the audio call feature of the app to allow the caller to enable the installation of spyware on the device being called, whether the call was answered or not.”
There’s no word as yet as to how many users have been targeted by the attack, but WhatsApp believes a relatively small amount of users were impacted. WhatsApp says that it rolled out a fix for the problem within 10 days of the discovery, and it’s now urging all users to update to the latest version of the app to eliminate the concern.
This, of course, is a major issue. WhatsApp has a long history of prioritizing data security and user privacy – so much so that founder Jan Koum reportedly left Facebook last year after clashing with Facebook management over their proposed changes to data use, and in particular, WhatsApp’s usage of end-to-end encryption.
WhatsApp made all of its messages end-to-end encrypted in 2016, underlining its focus on data privacy. Facebook, which does have optional end-to-end encryption on Messenger (though you have to opt-in), has built its business on utilizing audience data for ad purposes, something that advanced encryption and security doesn’t allow. That, reportedly, is where the conflict with Koum began – since then, Facebook has changed its tune, with privacy becoming a major focus for the company, as outlined at its recent F8 conference.
Given WhatsApp’s long-standing stance on privacy, an exploit like this is a major blow – but an important point of note here is that end-to-end encryption is not to blame for this specific issue.
In the wake of the news, Bloomberg published an opinion piece titled ‘WhatsApp’s End-toEnd Encryption is a Gimmick’, which criticizes the process, noting that:
“End-to-end encryption” is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.”
This is not correct. The attack here is not related to end-to-end encryption of data, but a backdoor within the app itself which can be exploited by those with knowledge of the flaw. The two aspects are separate, and the suggestion that the issue shows that encryption is flawed is an incorrect link between the issue and the cause in this instance.
Encryption remains a strong security option to protect your data, and keep your conversations private. The WhatsApp issue is a major concern for the company and its users – and hopefully we should get some scope of the overall impacts of the related attack soon. But E-to-E remains an important data security measure, and one which users should continue to utilize to protect their information if they need.
The suggestion that this is an encryption flaw could cause major, unnecessary concern among those who have used it to keep their data private. The two aspects are separate, which is important to note.
If you haven’t already, you should update your version of WhatsApp to the latest version to ensure you’re not vulnerable to targeting.