Dumping the sources here because a friend requested them. Thought it would be good to document.
2019 - A recently discovered zero-day vulnerability in the world’s most popular messenger — WhatsApp — allowed hackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera, and install spyware that allows even further surveillance, such as browsing through the victim’s photos and videos, accessing their contact list, and so on. What’s even worse, to exploit the vulnerability, all the hacker needs to do is call the victim on WhatsApp.. Reported by Kaspersky, highly reputable cyber security company
2020 - NSO Group allegedly connected to hacks of 1,400 people including human rights activists. Reported by TheGuardian, perennial news outlet. Note the (Israeli) NSO Group discussed here was exploiting WhatsApp
2021 - 50 people close to Mexico’s president spied on via WhatsApp backdoors. Again reported by TheGuardian. Same (Israeli) NSO group as above
2021 - Revealed: murdered journalist’s number selected by Mexican NSO client. Again reported by TheGuardian (there’s lots of sources but I’m sticking with these guys for their good journalism). Mexican journalist was murdered. Was one of the people who was hacked through WhatsApp. Note his murder actually took place in 2017 (this has been going on for some time)
2022 - WhatsApp accidentally had another insanely dangerous vulnurability. This one is a random source, but it links the actual CVE. It’s crazy how WhatsApp keeps “accidentally” having perfect government-level backdoors.
My personal take is this - Unless you genuinely want everyone to read the messages you send your friends, you need to use a private messaging app. For an app to be private, it needs to be secure. For an app to be secure, it needs to be open source. WhatsApp is not secure. It is not private. Stop using it.
Apologies for typos/mistakes, it’s 4:30am, was just stitching sources together real quick. By the way, the founder(?) of Telegram had a blog where he wrote about this too but I can’t find it right now. If anyone has a link, please share :)
Could remote code execution, like CVE-2022-36934, also get around the e2ee? Since you’re taking control of the “end” of things.
The E2EE is made worthless by -
- The constant “bugs” that allow remote code execution
- Cloud backups (that backup the encryption keys)
- Swapping the keys is possible, and WhatsApp doesn’t tell you (Signal will display a message that the keys have changed)
To be fair, E2EE doesn’t allow anyone with a Stingray (read: Rasberry Pi) to read your messages (unlike SMS), but it does allow for anyone with a bit of power (money) to read them.
well known.
the vulnerabilities were always present one at a time. always the same bound check fail in different places. so obvious.
WhatsApp is a default app, and not uninstallable when you purchase a device from many carriers in third world countries. It’s further interesting to consider that both iOS and Android have protections to make sure a malicious app can’t escape its sandbox, yet somehow WhatsApp’s vulnerabilities are so bad it “accidentally” escapes these sandboxes as well.
my friend. this war is lost. india, brazil, many other countries you cannot book a DMV-equivalent appointment without whatsapp.
every single business dealing from getting your nail done to buying a house will obligatory happen over whatsapp.
who cares if it’s installed by default? if you live in these national security oblivious neo colonies you will use whatsapp and you will like it.
whatsapp is the most successful cia ops where they finally got full control way beyond latin america