WhatsApp is a “Trojan horse” exploited to snoop on millions of users naïve enough to believe that the Facebook-owned messenger differs from its parent company, long beset by privacy scandals, Telegram founder Pavel Durov said.
In a lengthy post on his Telegram channel on Wednesday, Durov took aim at one of his brainchild’s biggest rivals – WhatsApp, the world’s leading messaging app, which became a Facebook subsidiary in 2014 and boasts some 1.5 billion monthly active users.
For those still using WhatsApp (and other Facebook products for that matter). This is today's post from @Telegram's founder Pavel @Durov.#security #whatsapp #cybersecurity #privacy pic.twitter.com/9y9zVBVgBf
— Vitalik Demin (@VitalikGDemin) November 20, 2019
“Regardless of the underlying intentions of WhatsApp’s parent company, the advice for their end-users is the same: unless you are cool with all your photos and messages becoming public one day, you should delete WhatsApp from your phone.”
The Russian-born entrepreneur pulled no punches, citing a long record of privacy-related violations by Facebook to back up his case.
“WhatsApp doesn’t only fail to protect your WhatsApp messages – this app is being consistently used as a Trojan horse to spy on your non-WhatsApp photos and messages. Why would they do it? Facebook has been part of surveillance programs long before it acquired WhatsApp.”
In his stinging attack on the messenger, Durov also recounted a recent discovery of yet another system vulnerability in WhatsApp, which allowed hackers to send a specially crafted MP3 file to Android and iOS users and thereby obtain access to all their data.
“All a hacker had to do was send you a video – and all your data was at the attacker’s mercy,” Durov wrote.
While Facebook alerted WhatsApp users of the vulnerability, the social media giant played down the incident, saying that they lack any evidence that the backdoor was ever actually exploited by hackers.
Since WhatsApp does not store video files on its servers, instead sending most of its media and messages directly to Google and Apple’s servers
Durov argued, however, that Facebook’s denials are just smoke and mirrors, as “a security vulnerability of this magnitude is bound to have been exploited – just like the previous WhatsApp backdoor had been used against human rights activists and journalists naive enough to be WhatsApp users.”
Since WhatsApp does not store video files on its servers, instead sending most of its media and messages directly to Google and Apple’s servers, Facebook simply washed its hands of the affair, Durov argued.
Durov dismissed the notion that WhatsApp was simply riddled with system errors, and could not help but “accidently” implement “critical security vulnerabilities across all their apps every few months.”
— Digital Trends (@DigitalTrends) November 21, 2019
“I doubt that – Telegram, a similar app in its complexity, hasn’t had any issues of WhatsApp-level severity in the six years since its launch. It’s very unlikely that anyone can accidentally commit major security errors, conveniently suitable for surveillance, on a regular basis.”
Last month, the New York Times reported that officials in the US, UK and Australia penned a letter to Facebook CEO Mark Zuckerberg demanding that the company develop “back doors” in its messengers to provide intelligence agencies access to the communications of some 300 million daily users, as well as 1.5 billion who long into Facebook daily.
Read more: How to read deleted Whatsapp messages
Previous malfunctions in Whatsap privacy
In May 2019, WhatsApp says a small number of accounts were attacked by “an advanced cyber actor”. At the time Facebook, which owns WhatsApp, told security specialists the issue was: “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
The app suggested its 1.5 billion users update the app after rolling out a fix to help protect devices from cyber-attacks. Even though messages in WhatsApp are end-to-end encrypted, which means they should only appear on the sender or recipient’s device, the surveillance software used in the latest hack would have let an attacker read the target’s messages.
Concerns about snooping have intensified after a sophisticated cyberattack that relied on spyware called Pegasus developed by an Israel-based company called NSO Group and exploited the video-calling system on WhatsApp to send malware to mobile devices. https://t.co/yHLlOBfDzv
— The Telegraph (@ttindia) November 21, 2019
Whatsapp Web also makes the platform an obvious target for cybercriminals. For years, the app has allowed users to open a website, or download a desktop app, scan a code with the app on your phone, and use WhatsApp on your computer.
The app store on a phone—the App Store on iOS and Google Play on Android—are more carefully regulated than the internet at large. When a user search for WhatsApp on those stores, it’s generally clear which app is the official one. That isn’t true of the wider internet.
Criminals, hackers, and scammers have all taken advantage of this. There have been instances of attackers passing off malicious software as WhatsApp desktop applications. If one is unfortunate enough to have downloaded one of these, the installation can distribute malware or otherwise compromise the computer.