Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. > The lawsuit, alleging violations of the whistleblower protection provision of > the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 > WhatsApp users had their accounts hacked every day. By last year, the > complaint alleged, as many as 400,000 WhatsApp users were getting locked out > of their accounts each day as a result of such account takeovers...

Reuters is reporting that the White House has banned WhatsApp on all employee devices: > The notice said the “Office of Cybersecurity has deemed WhatsApp a high risk > to users due to the lack of transparency in how it protects user data, absence > of stored data encryption, and potential security risks involved with its > use.” TechCrunch has more commentary, but no more information.

The case is over: > A jury has awarded WhatsApp $167 million in punitive damages in a case the > company brought against Israel-based NSO Group for exploiting a software > vulnerability that hijacked the phones of thousands of users. I’m sure it’ll be appealed. Everything always is.

Meta is suing NSO Group, basically claiming that the latter hacks WhatsApp and not just WhatsApp users. We have a procedural ruling: > Under the order, NSO Group is prohibited from presenting evidence about its > customers’ identities, implying the targeted WhatsApp users are suspected or > actual criminals, or alleging that WhatsApp had insufficient security > protections. > > […] > > In making her ruling, Northern District of California Judge Phyllis Hamilton > said NSO Group undercut its arguments to use evidence about its customers with > contradictory statements...

This is yet another story of commercial spyware being used against journalists and civil society members. > The journalists and other civil society members were being alerted of a > possible breach of their devices, with WhatsApp telling the Guardian it had > “high confidence” that the 90 users in question had been targeted and > “possibly compromised.” > > It is not clear who was behind the attack. Like other spyware makers, > Paragon’s hacking software is used by government clients and WhatsApp said it > had not been able to identify the clients who ordered the alleged attacks...

A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse Act by hacking WhatsApp in order to spy on people using it. Jon Penney and I wrote a legal paper on the case.