Whistle-Blower Sues Meta Over Claims of WhatsApp Security Flaws

The former head of security for WhatsApp filed a lawsuit on Monday accusing Meta of ignoring major security and privacy flaws that put billions of the messaging app's users at risk, the latest in a string of whistle-blower allegations against the social media giant. The New York Times: In the lawsuit filed in the U.S. District Court of the District of Northern California, Attaullah Baig claimed that thousands of WhatsApp and Meta employees could gain access to sensitive user data including profile pictures, location, group memberships and contact lists. Meta, which owns WhatsApp, also failed to adequately address the hacking of more than 100,000 accounts each day and rejected his proposals for security fixes, according to the lawsuit.

Mr. Baig tried to warn Meta's top leaders, including its chief executive, Mark Zuckerberg, that users were being harmed by the security weaknesses, according to the lawsuit. In response, his managers retaliated and fired him in February, he claims. Mr. Baig, who is represented by the whistle-blower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman & Zeldes, argued in the suit that the actions violated a privacy settlement Meta reached with the Federal Trade Commission in 2019, as well as securities laws that require companies to disclose risks to shareholders.

And this is why I choose Signal

[sinkskinkshrieks]

In spite of its metadata-creating privacy violations. (And I worked for Meta for a bit.)

Re:

[jhoegl]

Thats just it, isnt it? If there is no privacy, they have an out for why the data is out there.

Meta claims security, but doesnt care to apply it.

Bots all over, and no care for anything. Its almost as if they see their users as pawns.

Re:

[Vlad_the_Inhaler]

* profile pictures

Whatsapp offers the following settings:
Profile photo

Who can see my Profile Photo
- Everyone
- My contacts
- My contacts except...
- Nobody

I think the default is Everyone.

There is also a setting for "who can see my Live Location", Since I don't allow WhatsApp to access my location at all, that one is firmly off.

Re:

[Marxist Hacker 42]

There is no privacy, and privacy apps are only used by scammers and criminals anyway.

InfoSec Victims.

[Anonymous Coward]

While most might be wrapped up in the labels (Meta, WhatsApp, etc.), we shouldn’t overlook the core of the issue; an InfoSec professional was fired for merely wanting to do his job. Also known as the job he was hired to do.

Without getting into detail, I know the fucking feeling. And we should probably be more focused on that than bullshit brands and labels that enable the kind of finger pointing that overlooks the core issue. If InfoSec professionals are going to continue to be targeted and/or become the fall guy/girl, then why in the FUCK would anyone get into the InfoSec profession?

Good luck convincing some sucker to take that fucking job in the future. If you think you’re untouchable, remember Mudge was fired from Twitter for the exact same thing. Going in front of Congress on the issue didn’t do jack shit. And you ain’t no Mudge. Neither am I.

Re:

[ffkom]

While most might be wrapped up in the labels (Meta, WhatsApp, etc.), we shouldn’t overlook the core of the issue; an InfoSec professional was fired for merely wanting to do his job. Also known as the job he was hired to do.

If he really thought that "InfoSec professionals are hired to improve security and protect privacy", then he was very, very naive. Company executives hire "InfoSec professionals" to tick off a box on their "cover your ass!"-list, such that they can get a "cyber-crime insurance" and have a scapegoat to point at when the security shit hits the fan. The last thing expected from an "InfoSec professional" is to burden the next quarter bottom line with any substantial cost/effort for implementing real, technical

Color me surprised?

[Teun]

Don't color me surprised, it's Meta.