WhatsApp to refer security breach to U.S. authorities

FILE PHOTO: A logo of WhatsApp is pictured on a T-shirt worn by a WhatsApp-Reliance Jio representative during a drive by the two companies to educate users, on the outskirts of Kolkata, India, October 9, 2018. REUTERS/Rupak De Chowdhuri -

By Steven Scheer

JERUSALEM (Reuters) – Facebook’s WhatsApp said on Tuesday a security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the U.S. Department of Justice.

WhatsApp, one of the most popular messaging tools, is used by 1.5 billion people monthly and it has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.

A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman said.

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users,” he said. WhatsApp did not elaborate further.

WhatsApp informed its lead regulator in the European Union, Ireland’s Data Protection Commission (DPC), of a “serious security vulnerability” on its platform.

“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.

“WhatsApp are still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident,” the DPC said, adding that WhatsApp informed it of the incident late on Monday.

Cybersecurity experts said the vast majority of users were unlikely to have been affected.

Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.

“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”

Storey said that disclosing vulnerabilities is a good thing and likely would lead to other services looking at their security.

INCOMING CALL

Earlier, the Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app’s phone call function.

It said the spyware was developed by Israeli cyber surveillance company NSO Group — best known for its mobile surveillance tools — and affects both Android and iPhones. The FT said WhatsApp could not yet give an estimate of how many phones were targeted.

The FT reported that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability and it began rolling out a fix to its servers on Friday last week and issued a patch for customers on Monday.

Asked about the report, NSO said its technology is licensed to authorized government agencies “for the sole purpose of fighting crime and terror,” and that it does not operate the system itself while having a rigorous licensing and vetting process.

“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.

Social media giant Facebook bought WhatsApp in 2014 for $19 billion.

Facebook co-founder Chris Hughes last week wrote in The New York Times that fellow co-founder Mark Zuckerberg had far too much influence by controlling Facebook, Instagram and WhatsApp, three core communications platforms, and called for the company to be broken up.

Facebook’s shares were up 0.8 percent at $183.02 in pre-market trading.

(Additional reporting by Ari Rabinovitch, Tamara Mathias and Padraic Halpin; Editing by Louise Heavens/Keith Weir/Jane Merriman)

Facebook unearths security breach affecting 50 million users

FILE PHOTO: A 3D-printed Facebook logo is seen in front of displayed binary digits in this illustration taken March 18, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

By Munsif Vengattil, Arjun Panchadar and Paresh Dave

(Reuters) – Facebook Inc said on Friday that hackers had discovered a security flaw that allowed them to take over up to 50 million user accounts, a major breach that adds to a bruising year for the company’s reputation.

Facebook, which has more than 2 billion monthly active users, said it has been unable to determine yet whether the attackers misused any of the affected accounts or stole private information.

Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy. The disclosure has prompted government inquiries into the company’s privacy practices across the world, and fueled a “#deleteFacebook” movement among consumers.

Shares in Facebook fell more than 3 percent in afternoon trading, weighing on major Wall Street stock indexes.

The latest vulnerability had existed since July 2017, but Facebook did not discover it until this month when it spotted an unusual increase in use of its “view as” feature.

“View as” allows users to see what their own profile looks like to someone else. The flaw inadvertently issued users of the tool a digital code, similar to browser cookie, that could be used to post from and browse Facebook as if they were someone else.

The company said it fixed the issue on Thursday. It also notified the U.S. Federal Bureau of Investigation, Department of Homeland Security and Irish data protection authority about the breach.

Facebook reset the digital keys of the 50 million affected accounts, and as a precaution reset those keys for another 40 million that have been looked up through the “view as” option over the last year.

About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.

Facebook is also temporarily disabling “view as,” it said.

In 2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.

(Reporting by Munsif Vengattil and Arjun Panchadar in Bengaluru, Paresh Dave in San Francisco; Editing by Sai Sachin Ravikumar and Meredith Mazzilli)