NEW DELHI: The uncomfortable truth for billions of WhatsApp users around the world is that the messaging app is not as secure as it is made out to be.
The Facebook-owned app, which has more than 200 million users in India alone, has pressed users to update its messaging service, following a report that a vulnerability in the software allowed attackers to hack into people’s phones using commercial spyware.
WhatsApp, one of the most popular messaging tools in the world, has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them. The company said it was still investigating the breach, but believed only a “select number of users were targeted".
The breach was first reported by The Financial Times. The report indicated that the spyware gets installed on a user’s phone through calls, even if the user doesn’t pick them up. To stay undetected, the spyware erases the incoming call from WhatsApp’s call logs.
The FT report claims that the malicious code behind the spyware attack was developed by NSO Group, an Israeli software company that has recently been accused by Amnesty International of making spyware products used to target human rights activists worldwide.
WhatsApp said it was “deeply concerned about the abuse" of such surveillance technologies and that it believed human rights activists might have been the targets.
“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community. That’s really where our highest concern is," said a company spokesman.
In a statement, NSO Group said its technology “is licensed to authorized government agencies for the sole purpose of fighting crime and terror".
In a notice, WhatsApp identified the flaw as a “buffer overflow" vulnerability in WhatsApp’s “VOIP stack".
In a blog post, Cloudflare, a US-based security firm, explained that buffer overflow attacks occur when certain memory areas of a running process are overwritten with data beyond the buffer’s capacity. Buffers are usually designed to hold a certain amount of data, unless the app using the buffer has been programmed to discard old data and make room for new data in case of an overflow.
Attackers can exploit this to feed a carefully crafted input into a program, causing the program to store the input in a buffer that doesn’t have enough space. This lets them overwrite areas with executable code and replace them with malicious codes.
Unix-based operating systems such as iOS and Android use a sandbox design, which separates the app layer from the rest of the system, making them more difficult to attack. “The attack installs an application called Pegasus on the target device, which can potentially escape the application sandbox implemented by the OS and read text messages, activate the microphone and camera, and collect sensitive information stored on the device," said Jaspreet Singh, partner-information security at EY.
Reuters and Bloomberg contributed to this story.