WhatsApp security breach likely a government surveillance attack, company says

WhatsApp says a security breach of its messaging app had the hallmarks of governments using surveillance technology developed by a private company — and human rights groups may have been the target.

The Facebook-owned company said it had notified the United States Department of Justice to help with an investigation into the breach, which was discovered in early May.

WhatsApp, one of the world's most popular messaging services, has encouraged its 1.5 billion monthly users to update to the latest version of the app, where it said the breach had been fixed.

It has previously touted its high level of security and privacy, with messages on its platform being encrypted end-to-end so WhatsApp and third parties cannot read or listen to them.

A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a "private company working with governments on surveillance".

It said it was "deeply concerned about the abuse" of surveillance technology, and it believed human rights activists may have been the targets of the breach.

"We're working with human rights groups on learning as much as we can about who may have been impacted from their community. That's really where our highest concern is," a spokesman said.

Ireland's Data Protection Commission, the lead regulator of WhatsApp in the European Union, said in a statement the vulnerability "may have enabled a malicious actor to install unauthorised software and gain access to personal data on devices which have WhatsApp installed".

Claims of 'chilling attacks on human rights defenders'

Scott Storey, a senior lecturer in cyber security at Sheffield Hallam University, said the attack appeared to be carried out by governments targeting specific people, mainly human rights campaigners.

"For the average end user, it's not something to really worry about," he said, adding WhatsApp quickly fixed the vulnerability.

"This isn't someone trying to steal private messages or personal details."

Earlier, the Financial Times reported a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app's phone call function.

The newspaper said the spyware was developed by Israeli cyber-surveillance company NSO Group, and WhatsApp could not yet give an estimate of how many phones were targeted.

Asked about the report, NSO said its technology was licensed to authorised government agencies "for the sole purpose of fighting crime and terror". It said it did not operate the system itself, and it had a rigorous licensing and vetting process.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies," it said.

Amnesty International, which has previously reported being targeted by the software, is currently supporting legal action that would compel the Israeli Ministry of Defence to revoke the export licence of NSO Group due to its "chilling attacks on human rights defenders around the world".

"NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics," Danna Ingleton, deputy director of Amnesty Tech, said.

Social media giant Facebook bought WhatsApp in 2014 for $US19 billion ($27.38 billion).

Reuters