Dumping the sources here because a friend requested them. Thought it would be good to document.

2019 - A recently discovered zero-day vulnerability in the world’s most popular messenger — WhatsApp — allowed hackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera, and install spyware that allows even further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list, and so on. What’s even worse, to exploit the vulnerability, all the hacker needs to do is call the victim on WhatsApp.. Reported by Kaspersky, highly reputable cyber security company

2020 - NSO Group allegedly connected to hacks of 1,400 people including human rights activists. Reported by TheGuardian, perennial news outlet. Note the (Israeli) NSO Group discussed here was exploiting WhatsApp

2021 - 50 people close to Mexico’s president spied on via WhatsApp backdoors. Again reported by TheGuardian. Same (Israeli) NSO group as above

2021 - Revealed: murdered journalist’s number selected by Mexican NSO client. Again reported by TheGuardian (there’s lots of sources but I’m sticking with these guys for their good journalism). Mexican journalist was murdered. Was one of the people who was hacked through WhatsApp. Note his murder actually took place in 2017 (this has been going on for some time)

2022 - WhatsApp accidentally had another insanely dangerous vulnurability. This one is a random source, but it links the actual CVE. It’s crazy how WhatsApp keeps “accidentally” having perfect government-level backdoors.

My personal take is this - Unless you genuinely want everyone to read the messages you send your friends, you need to use a private messaging app. For an app to be private, it needs to be secure. For an app to be secure, it needs to be open source. WhatsApp is not secure. It is not private. Stop using it.

Apologies for typos/mistakes, it’s 4:30am, was just stitching sources together real quick. By the way, the founder(?) of Telegram had a blog where he wrote about this too but I can’t find it right now. If anyone has a link, please share :)

  • Sandra
    12 years ago

    Could remote code execution, like CVE-2022-36934, also get around the e2ee? Since you’re taking control of the “end” of things.

    • @OsrsNeedsF2POP
      22 years ago

      The E2EE is made worthless by -

      • The constant “bugs” that allow remote code execution
      • Cloud backups (that backup the encryption keys)
      • Swapping the keys is possible, and WhatsApp doesn’t tell you (Signal will display a message that the keys have changed)

      To be fair, E2EE doesn’t allow anyone with a Stingray (read: Rasberry Pi) to read your messages (unlike SMS), but it does allow for anyone with a bit of power (money) to read them.