Skip to main content

World WhatsApp security flaw discovered with help from Canadian researchers

Facebook said it discovered a vulnerability in WhatsApp earlier this month that allowed hackers to install spyware just by calling someone’s phone number through the app.

ARUN SANKAR/AFP/Getty Images

Hackers exploited a bug in Facebook’s popular encrypted messaging service WhatsApp to remotely take control of the phones of iPhone and Android users.

The Financial Times reported that an Israeli company called NSO Group was behind the attack, which exposed a vulnerability in WhatsApp, a private-messaging service owned by Facebook that is used by 1.5 billion people. NSO Group sells sophisticated software to government agencies to fight crime and terrorism. But the company has been widely criticized for allowing its software to be used by repressive regimes to spy on human-rights activists, journalists and political dissidents.

Facebook said it discovered a vulnerability in WhatsApp earlier this month that allowed hackers to install spyware just by calling someone’s phone number through the app. The social-media giant said it believed the attack targeted only “a select few” people and that the company had informed both human-rights organizations as well as U.S. law-enforcement agencies of the breach. Facebook rushed through a fix late last week and urged users of WhatsApp to install an update to the software released on Monday.

Story continues below advertisement

The WhatsApp attack appears to be a major advancement in cyber-espionage technology that could potentially be used to exploit similar vulnerabilities in other mobile-phone applications, said Ron Deibert, director of The Citizen Lab, a research group at the University of Toronto’s Munk School of Global Affairs and Public Policy that helped to uncover the attack.

The attackers were able insert code into users’ smartphones through a feature that lets people use the app to call each other over the internet. The program can covertly take over control of a phone, including turning on the microphone and camera, disabling security settings, reading messages, tracking location data and accessing personal contacts.

While Facebook did not confirm the Financial Time’s report that NSO Group was behind the attack, the Silicon Valley firm said the hack was orchestrated by “an advanced cyberactor” and “has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile-phone operating systems.”

In a statement posted on Twitter Tuesday, NSO Group denied being behind the attack. It said its technology is licensed only to vetted government agencies and that NSO has little control over how governments use its tools. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law-enforcement agencies,” the company said.

In the past, hackers would typically target users by sending them text messages or e-mails that pointed them toward a link on the internet. Users would have to click on the link to download the malicious software. But the attack on WhatsApp allowed hackers to download software onto a phone just by calling a number, even if the person at the other end of the line didn’t answer. The software could then take over a phone and delete evidence of the attack, making it harder to track.

“To me it’s kind of like a nuclear option when it comes to surveillance technology,” The Citizen Lab’s Mr. Deibert said. “There’s no need to trick anyone. You simply have to have their phone number.”

WhatsApp discovers spyware that can infect through calls

Private message: Facebook’s push into group chats is about ad growth as much as consumer tastes

Mark Zuckerberg outlines Facebook’s transformation to a ‘private social platform’

The attack also highlights some of the limitations of encrypted messaging services, which Facebook chief executive Mark Zuckerberg had recently touted as secure technology that can limit the ability of governments to access personal communication.

Story continues below advertisement

In the past, governments could simply compel phone and internet companies to hand over unencrypted messages.

But the growth of encrypted messaging services such as WhatsApp, which prevent companies from seeing the content of messages, has helped fuel a growing appetite for sophisticated software programs that allow governments to break through the extra security features, Mr. Deibert said.

The Citizen Lab has been tracking NSO Group’s software for several years. Last fall, the group released a report saying it had “high confidence” that Saudi intelligence officials had used NSO’s surveillance software to target a 27-year-old Quebecker named Omar Abdulaziz. Mr. Abdulaziz is a dissident Saudi activist with an active presence on social media who was a close confidante of murdered Washington Post columnist Jamal Khashoggi.

Earlier this month, a British lawyer representing several defendants in a lawsuit against NSO Group, including Mr. Abdulaziz, contacted The Citizen Lab after the lawyer started receiving phone calls at odd hours of the night to his WhatsApp account from Sweden.

The Canadian researchers analyzed the network traffic on the lawyer’s phone and alerted Facebook to the suspicious activity on WhatsApp. Mr. Deibert said The Citizen Lab researchers did not confirm the attackers were using NSO Group technology.

Story continues below advertisement

The researchers met with the lawyer on Sunday to test his phone and determined that Facebook had successfully fixed the problem, Mr. Deibert said.

With a report from Colin Freeze

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter