Tag: WhatsApp

WhatsApp security breach may have targeted human rights groups

WhatsApp said on Tuesday that a security breach on its messaging app had signs of coming from a government using surveillance technology developed by a private company, and it may have targeted human rights groups.

WhatsApp, a unit of Facebook, said it had notified the US Department of Justice to help with an investigation, and it encouraged all WhatsApp users to update to the latest version of the app, where the breach had been fixed.

WhatsApp, one of the world’s most popular messaging tools, is used by 1.5 billion people monthly. It has touted its high level of security and privacy, with messages on its platform being encrypted end-to-end so that WhatsApp and third parties cannot read or listen to them.

The company said it was still investigating the breach but believed only a “select number of users were targeted through this vulnerability by an advanced cyber actor.”

WhatsApp said its advice to all users to update came “out of an abundance of caution” and a recommendation by Citizen Lab, a research group at the University of Toronto that it notified about the vulnerability before the announcement.

It did not disclose how many users were affected. A technical advisory published on Facebook’s security website said the vulnerability affected both Android and iPhones.

A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”

The FBI and Justice Department declined to comment.

The Financial Times initially reported on the WhatsApp vulnerability that allowed attackers to inject spyware on phones via the app’s voice-calling function.

WhatsApp told human rights groups it believed the spyware was developed by Israeli cyber surveillance company NSO Group, best known for its mobile hacking tools, said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a San Francisco-based nonprofit.

“They said they believed it was NSO Group, but they also couched it in very careful terms with many caveats, because attribution is hard,” she said.

Like Citizen Lab, EFF was among the groups WhatsApp notified several days ago about the vulnerability.

A second person familiar with the matter also identified NSO Group as the suspected culprit.

NSO did not comment on the specific attacks. In a statement sent to Reuters, NSO said it would investigate any “credible allegations of misuse” of its technology.

The company said it never picks or identifies targets of its technology, “which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization, including this individual.”

One target of the new WhatsApp exploit was a United Kingdom-based human rights lawyer who spoke on condition of anonymity. He said an attack against him took place on Sunday after WhatsApp issued its update and was not successful. The lawyer had contacted Citizen Lab after receiving previous suspicious WhatsApp calls.

The lawyer is helping a Saudi dissident and several Mexican journalists mount civil cases against NSO Group for its alleged role in selling hacking tools to the Saudi and Mexican governments, which they allege were used to hack into their phones.

There are currently four known legal cases against NSO Group, including three in Israel and one based in Cyprus. NSO is being sued for damages allegedly caused by the sale of its tools, which the company says it sells only to law enforcement and intelligence agencies pursuing legitimate targets, such as terrorists and criminals.

WhatsApp said it was “deeply concerned about the abuse” of such surveillance technologies and that it believed human rights activists may have been the targets.

“We’re working with human rights groups on learning as much as we can about who may have been impacted from their community. That’s really where our highest concern is,” the spokesman said.

Citizen Lab tweeted on Monday: “We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer.”

Citizen Lab told Reuters that the person was the UK lawyer, who had approached Citizen Lab after receiving multiple WhatsApp calls from unknown numbers at strange hours, making him suspicious.

Ireland’s Data Protection Commission (DPC), WhatsApp’s lead regulator in the European Union, said WhatsApp had notified the agency late on Monday of a “serious security vulnerability” on its platform.

“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.

Cyber security experts said the vast majority of WhatsApp users were unlikely to have been affected.

WhatsApp unveils ‘tipline’ to tackle fake news

No Comments

WhatsApp Tuesday unveiled its ‘Checkpoint Tipline’, where people can check the authenticity of information received as the messaging giant looks to crack down on fake news ahead of the general election in the country.

“Launched by PROTO, an India-based media skilling startup, this tip line will help create a database of rumours to study misinformation during elections for Checkpoint – a research project commissioned and technically assisted by WhatsApp,” the Facebook-owned company said in a statement. It added that starting Tuesday, people in India can submit misinformation or rumours they receive to the Checkpoint Tipline on WhatsApp (+91-9643-000-888).

Once a WhatsApp user shares a suspicious message with the tipline, PROTO’s verification centre will seek to respond and inform the user if the claim made in a message shared is verified or not. “The response will indicate if the information is classified as true, false, misleading, disputed or out of scope and include any other related information that is available,” the statement said.

This centre is equipped to review content in the form of pictures, video links or text and will cover English and four regional languages – Hindi, Telugu, Bengali and Malayalam. PROTO will also look at working with organisations at the grassroots level to submit misinformation circulating across different regions in India during the election period.

Facebook, which counts India as one of its largest markets with over 200 million users, had faced flak from the Indian government after a series of mob-lynching incidents, triggered by rumours circulating on WhatsApp, claimed lives last year. Under pressure to stop rumours and fake news, WhatsApp had last year restricted forwarding messages to five chats at once. It has also been putting out advertisements in newspapers and running television and radio campaigns offering tips to users on how to spot misinformation.

With ensuing general elections, the Indian government had warned social media platforms of strong action if any attempt was made to influence the country’s electoral process through undesirable means. Interestingly, the Indian government — through proposed changes in IT rules — is seeking to make social media platforms more accountable by mandating them to introduce tools that can identify and disable “unlawful content”.

One of the amendments being mulled in the IT intermediary rules (meant for online and social media platforms) will require them to enable tracing out of such originators of information as needed by government agencies that are legally authorised.

However, WhatsApp has so far resisted the government’s demand for identifying message originators, arguing that such a move would undermine the end-to-end encryption and the private nature of the platform, creating the potential for serious misuse. In its statement on Tuesday, WhatsApp said Dig Deeper Media and Meedan – which have previously worked on misinformation-related projects around the world – are helping PROTO to develop the verification and research frameworks for India.

Meedan has developed the technology to support the verification of rumours and will maintain the database of such content that has been processed. To do so, they have expanded their check platform (developed for recent elections in Mexico and France) and integrated it with the WhatsApp Business API, to receive and respond to messages at scale.

“The goal of this project is to study the misinformation phenomenon at scale — natively in WhatsApp. As more data flows in, we will be able to identify the most susceptible or affected issues, locations, languages, regions, and more,” PROTO founders Ritvvij Parrikh and Nasr ul Hadi said. The verification reports PROTO sends back will encourage grassroots-level “listening posts” to send more signals for analysis, they added.

Following the project, PROTO also plans to submit learnings to the International Center for Journalists to help other organisations learn from the design and operations of this project. “The research from this initiative will help create a global benchmark for those wishing to tackle misinformation in their own markets,” Fergus Bell, founder and CEO, Dig Deeper Media, said.

Categories: International News

Tags: