939 points by EwanToo 2482 days ago | 283 comments on HN
| Moderate positive Editorial · v3.7· 2026-02-28 09:17:13
Summary Privacy & Surveillance Advocates
This Financial Times investigative article documents a WhatsApp vulnerability enabling Israeli spyware company NSO Group to inject Pegasus surveillance onto thousands of phones, with particular targeting of human rights lawyers, journalists, activists, and dissidents. The article extensively covers the privacy violation, WhatsApp's emergency protective response, and ongoing legal and regulatory efforts by civil rights organizations, governments, and victims to prevent abuse. The reporting strongly advocates for privacy rights, accountability in surveillance technology, and international oversight of surveillance exports.
Google's Project Zero team investigated WhatsApp's and Facetime's video conferencing last year:
"Overall, WhatsApp signalling seemed like a promising attack surface, but we did not find any vulnerabilities in it. There were two areas where we were able to extend the attack surface beyond what is used in the basic call flow. First, it was possible to send signalling messages that should only be sent after a call is answered before the call is answered, and they were processed by the receiving device. Second, it was possible for a peer to send voip_options JSON to another device. WhatsApp could reduce the attack surface of signalling by removing these capabilities."
"Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three CVEs in FaceTime based on this work."
All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers. But apparently also by Israeli developers with their government's blessing and open endorsement. That's some very shady stuff.
Before someone says something about government surveillance of fiber cables. Yes, that is also bad, but exploiting vulnerabilities to install spyware on peoples phones... It crosses yet another line that shouldn't ever be crossed.
I guess these types of vulnerabilities could be placed intentionally. It would allow certain agencies to again access via "exploit" and all the while claim they support user privacy. These companies are under pressure from governments (like the recent Australian government law to requiring access to encrypted messages). Seems like a decent solution for company and governments.
It seems to me that if this is possible an OS software upgrade of some sort is urgently required, in addition to possible updates of WhatsApp. How come there isn’t coverage of this as Android and iOS vulnerabilities?
Updated WhatsApp on my iphone just now. The version I got was 2.19.50. According to the CVE it's still vulnerable. Unable to get 2.19.51 which is the first fixed version. Is this just me? Or is everyone else updating to a still-vulnerable version?
What about Wechat? There are lots of seemingly pretty girls trying to voice or video call these days. Either I'm suddenly rich in their eyes or there's something fishy going on.
CVE-2019-3568 suggests this was a buffer overflow. I'd like to understand why this was implemented in native code - Android seems to have an `android.net.rtp` package?
Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?
Spooky. I just travelled to Israel and this evening, at around 3 AM, iOS notified me that WhatsApp had been accessing my location in the background, which I had never seen before except when sharing my location with a friend.
There was Stuxnet, which was almost certainly a joint US/Israeli operation (likely other minor players involved), and plenty of other programs we never hear about.
Yeah, there's a cottage industry of security firms who sell exploits to the U.S. government directly or indirectly through big defense contractors. Many, and I personally have assumed _most_ (but without checking), are American firms.
And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.
Wow! I had no idea there was a whole industry selling spyware to dictatorships. Surveillance equipment, yes, but not actual hacking tools. Really sickening. Must be why governments in Europe are so afraid of Huawei building 5G networks - they will only run Chinese spyware.
All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers. But apparently also by Israeli developers with their government's blessing and open endorsement. That's some very shady stuff.
Gamma Group is an Anglo-German company that provides similar surveillance software with government blessing and endorsement. Hacking Team (Italian company) sells similar surveillance software to various European governments. Before an embarrassing data breach in 2015 they also used to sell surveillance software to various totalitarian regimes outside Europe.
>All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers.
You've led a very sheltered life if you think the Russians and the Chinese have been more evil than the Americans or the Israelis. I suggest reading history - a lot of it. When it comes to governments there are no good guys, only bad guys.
The industry calls this a "bug-door" and yes, plausible deniability is key. Most of this has been hypothetical possibility. This case does not fit that bill though as the vendor discovered it was being used by another country, prevented the exploit against a user, fixed it, and alerted the authorities. Would be more peculiar if it was a US-based company selling the spyware.
In both cases, the close source nature of the applications stymied their efforts.
Why do you say that? In the WhatsApp case, they were able to repeatedly modify the code and also yank it out and run it in their own controlled environment, etc.
My gut tells me no. Signal switched over to using the Signal Protocol for call signaling. It had used a few different signaling standards over the years (when it used to be called Redphone).
However, it's impossible to really know for sure as the server component for calls is a proprietary black box.
> Before someone says something about government surveillance of fiber cables.
Anything that goes unencrypted over the internet is (a) public and (b) liable to be changed by anyone on transit. It's like a travelling wikipedia article.
Gaining control of WhatsApp gains access to any API accessible to WhatsApp. Incompetent reporting may be at fault.
On Android, WhatsApp seeks a wide array of permission-controlled APIs. It does so on iOS as well. Once granted, the app has access to any data available through access-allowed APIs.
App code goes through an audit process to ensure that the app isn’t using accessible APIs inappropriately, and doesn’t permit unapproved code execution.
This vulnerability allows an attacker to execute unapproved code in the WhatsApp context. Any API that iOS or Android offer WhatsApp under normal circumstances is now attacker-controlled.
The two questions unanswered by the press to date are simple. On iOS and on Android, can the attacker’s code be terminated by force-quitting and uninstalling WhatsApp?
Either the attack is persistent only because it sets up shop inside the app, which may have OS-granted background and/or screen-off execution rights, and thus can be terminated simply by quitting and removing the app — or, the attack gains persistence beyond the confines of the app.
Media reports are unclear on this point. If the OS offers apps endpoints that an app executing attacker-controlled code can use to infect the OS with persistent attack code that executes outside the app’s boundaries and remains after app uninstallation, then that’s absolutely a flaw in the design of the OS. As you say, “Android and iOS vulnerabilities”.
I'm not sure what can be done nowadays. In the past you would say, format disks and go back to a backup before the threatening event happened. But nowadays all our stuff is in the cloud and you can only go back to the state from 10 minutes ago, and all our disks are flash drives that you can't fully format as an end user. Maybe you can just accept that some virusses will always be there and act accordingly.
You need to go to the app store app, then the updates tab and pull down to refresh(yes, the updates tab, not WhatsApp listing in the store). When you do that, you'll see the newest version becomes available for update. This happens whenever an update is set to phased release and hasn't reached 100% yet.
Article is fundamentally about privacy violation: unauthorized voice calls enable remote surveillance, microphone/camera activation, email/message access, and location tracking without consent. Calls disappear from logs to hide intrusion. Extensive documentation of the privacy harm, technical vulnerability, and protective/legal response
FW Ratio: 60%
Observable Facts
Headline and lede: 'A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones' via 'voice call function' without user answer, with 'calls often disappeared from call logs'
Article describes Pegasus capability: 'can turn on a phone's microphone and camera, trawl through emails and messages and collect location data'
Article quotes WhatsApp: 'This attack has all the hallmarks of a private company known to work with governments to deliver spyware'
Inferences
The article's technical documentation of surveillance mechanisms and privacy invasion clearly maps to Article 12's right to privacy and protection of communications
The prominence of WhatsApp's emergency patching and researcher intervention suggests editorial framing of privacy protection as urgent collective responsibility
+0.70
Article 30No Destruction of Rights
High A: abuse prevention A: oversight
Editorial
+0.70
SETL
+0.53
Article is fundamentally about preventing abuse of surveillance technology: NSO and government clients are deploying spyware without proper oversight or accountability. Article extensively documents the abuse and advocates for prevention via transparency, legal action, and export license revocation. Amnesty International quote: 'NSO Group sells its products to governments who are known for outrageous human rights abuses'
FW Ratio: 67%
Observable Facts
Article's central focus: 'NSO advertises its products to Middle Eastern and western intelligence agencies... Pegasus is intended for governments to fight terrorism and crime'
Article quotes Amnesty International: 'NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics'
Article documents abuse: UK lawyer, Mexican journalists, Saudi dissident all targeted; article reports Amnesty found 'attempt to hack into the phone of one its researchers'
Article documents prevention efforts: multiple lawsuits, Amnesty filing for 'defence ministry to cancel NSO's export licence,' WhatsApp emergency patching
Inferences
The article's extensive documentation of surveillance misuse without oversight clearly maps to Article 30's requirement to prevent abuse of UDHR rights
The prominence given to legal remedies and export license cancellation indicates editorial commitment to preventing future abuse through accountability and export controls
+0.50
Article 3Life, Liberty, Security
Medium A: security A: protection
Editorial
+0.50
SETL
+0.45
Article extensively documents threats to bodily autonomy and personal security (remote camera/microphone activation enabling tracking, location harvesting); frames WhatsApp's emergency response and researcher intervention as protective measures
FW Ratio: 50%
Observable Facts
Article describes Pegasus spyware functionality: 'can turn on a phone's microphone and camera, trawl through emails and messages and collect location data'
Article states WhatsApp 'began rolling out a fix' and 'teams of engineers had worked around the clock' to patch the vulnerability by Monday
Inferences
The prominence given to protective technical measures and researcher intervention suggests editorial framing of security threats as addressable through collective action
The article's focus on enabling protective response indicates implicit commitment to Article 3 security rights
+0.50
Article 19Freedom of Expression
Medium A: expression A: press freedom
Editorial
+0.50
SETL
+0.39
Article extensively documents surveillance targeting individuals exercising expression (journalists, activists, lawyers advocating against abuse). Article quotes a targeted lawyer saying the targeting is evidence that 'abuses are continuing.' FT's publication of this reporting despite surveillance threats implicitly affirms the importance of freedom of expression
FW Ratio: 50%
Observable Facts
Article identifies surveillance targets as 'human rights lawyers,' 'Mexican journalists and government critics,' 'Saudi dissident,' and researchers seeking to expose the vulnerability
Article quotes targeted lawyer: 'It's upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits'
Inferences
The article's detailed framing of surveillance targeting expression advocates as abuse worthy of legal/regulatory response indicates editorial commitment to Article 19
FT's choice to publish this article despite its documentation of targeting against similar journalism indicates implicit affirmation of press freedom and public's right to know
+0.40
Article 8Right to Remedy
Medium A: remedy A: justice
Editorial
+0.40
SETL
ND
Article prominently documents multiple legal remedies: lawsuits by victims (Mexican journalists, Saudi dissident), human rights lawyers coordinating cases against NSO in Israel, Amnesty International filing for export license cancellation; frames these as legitimate accountability mechanisms
FW Ratio: 50%
Observable Facts
Article states 'The UK lawyer... has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada sue NSO in Israel'
Article quotes lawyer Alaa Mahajne: 'It's upsetting but not surprising that my team has been targeted... This desperate reaction... itself shows how urgent the lawsuits are'
Inferences
The article's extensive coverage of legal remedies and advocacy efforts indicates editorial acknowledgment of courts and regulatory bodies as appropriate Article 8 mechanisms
The voice given to lawyers and civil rights organizations pursuing remedies suggests the author views legal action as a legitimate response to surveillance abuse
+0.30
PreamblePreamble
Medium A: dignity A: freedom A: justice
Editorial
+0.30
SETL
+0.17
Article documents violations of human dignity and freedom through mass surveillance, establishing foundation for UDHR protection of fundamental rights against state/corporate overreach
FW Ratio: 50%
Observable Facts
Article describes surveillance technology that remotely activates phone cameras/microphones and collects location data without user consent
Article quotes Amnesty International stating surveillance victims are targeted for their 'activism' and 'dissidence' based on political identity
Inferences
The article's framing of protective measures and calls for accountability suggests editorial alignment with Preamble values of dignity and human freedom
The detailed documentation of surveillance enabling political control indicates the author's implicit advocacy for the dignity-based framework underlying the UDHR
+0.30
Article 9No Arbitrary Detention
Medium A: protection F: targeting
Editorial
+0.30
SETL
ND
Article documents systematic targeting of individuals based on their identity/beliefs and describes surveillance enabling tracking that could facilitate arbitrary detention or persecution
FW Ratio: 67%
Observable Facts
Article describes how surveillance software enables 'location data' collection, permitting continuous physical tracking of targets
Article identifies targets as 'human rights lawyers,' 'activists,' and 'dissidents' — categories vulnerable to state persecution
Inferences
The article's framing of surveillance as enabling state/corporate control over vulnerable populations suggests alignment with Article 9 protections
+0.30
Article 20Assembly & Association
Medium F: association targeting
Editorial
+0.30
SETL
ND
Article documents surveillance targeting groups working collectively: Mexican journalists/government critics coordinating, Saudi dissident working with civil rights groups, UK lawyer coordinating lawsuits with international allies
FW Ratio: 50%
Observable Facts
Article describes 'a group of Mexican journalists and government critics and a Saudi dissident living in Canada sue NSO in Israel' and 'lawyers working on the cases' targeting
Inferences
The article's documentation of coordinated group targeting suggests awareness of surveillance's impact on freedom of association
+0.30
Article 28Social & International Order
Low A: accountability A: governance
Editorial
+0.30
SETL
ND
Article references government oversight and accountability: Israeli ministry of defence export control, US Department of Justice disclosure, international legal coordination. Implicitly advocates for state/international institutions to establish order respecting rights
FW Ratio: 50%
Observable Facts
Article mentions NSO 'advertises its products to Middle Eastern and western intelligence agencies' and 'Israeli ministry of defence' regulates export controls
Inferences
The article's emphasis on government regulatory oversight implies support for institutions establishing social order that respects rights
+0.20
Article 2Non-Discrimination
Medium F: discrimination
Editorial
+0.20
SETL
ND
Article identifies surveillance targets by political/ideological identity (journalists, activists, dissidents, lawyers) rather than conduct; documents status-based targeting
FW Ratio: 50%
Observable Facts
Article names surveillance targets as 'human rights campaigners in the Middle East,' 'Mexican journalists and government critics,' 'Saudi dissident,' and states these were selected for coordinated targeting via WhatsApp
Inferences
The article's explicit enumeration of identity-based targeting categories suggests editorial awareness of discrimination as a distinct rights violation from the surveillance itself
+0.20
Article 18Freedom of Thought
Low F: surveillance chilling
Editorial
+0.20
SETL
ND
Article documents surveillance targeting activists and critics, which implicitly impacts their ability to develop and express thought without state/corporate interference
FW Ratio: 50%
Observable Facts
Article identifies targets as 'human rights lawyers,' 'journalists,' and 'government critics' — groups expected to develop and express heterodox thought
Inferences
The article's documentation of surveillance targeting independent thinkers suggests awareness of how surveillance constrains freedom of thought
ND
Article 1Freedom, Equality, Brotherhood
Article does not address equal human dignity as a concept
ND
Article 4No Slavery
Not addressed in article
ND
Article 5No Torture
Not addressed in article
ND
Article 6Legal Personhood
Not addressed in article
ND
Article 7Equality Before Law
Not addressed in article
ND
Article 10Fair Hearing
Not addressed in article
ND
Article 11Presumption of Innocence
Not addressed in article
ND
Article 13Freedom of Movement
Not addressed in article
ND
Article 14Asylum
Not addressed in article
ND
Article 15Nationality
Not addressed in article
ND
Article 16Marriage & Family
Not addressed in article
ND
Article 17Property
Not addressed in article
ND
Article 21Political Participation
Not addressed in article
ND
Article 22Social Security
Not addressed in article
ND
Article 23Work & Equal Pay
Not addressed in article
ND
Article 24Rest & Leisure
Not addressed in article
ND
Article 25Standard of Living
Not addressed in article
ND
Article 26Education
Not addressed in article
ND
Article 27Cultural Participation
Not addressed in article
ND
Article 29Duties to Community
Not addressed in article
Structural Channel
What the site does
+0.30
Article 12Privacy
High A: privacy A: data protection
Structural
+0.30
Context Modifier
ND
SETL
+0.63
FT's accessibility features enable wider audience access to privacy information; investigative journalism structure supports privacy advocacy
+0.30
Article 30No Destruction of Rights
High A: abuse prevention A: oversight
Structural
+0.30
Context Modifier
ND
SETL
+0.53
FT's investigative journalism itself prevents abuse through transparency and public accountability; publication enables civil society oversight
+0.20
PreamblePreamble
Medium A: dignity A: freedom A: justice
Structural
+0.20
Context Modifier
ND
SETL
+0.17
FT structure (publication, transparency, comment section) enables discourse on dignity and freedom violations
+0.20
Article 19Freedom of Expression
Medium A: expression A: press freedom
Structural
+0.20
Context Modifier
ND
SETL
+0.39
FT's publication and comment section enable public discourse; comment section allows reader expression
+0.10
Article 3Life, Liberty, Security
Medium A: security A: protection
Structural
+0.10
Context Modifier
ND
SETL
+0.45
FT's investigative publication documenting the threat and response contributes to public security awareness
build d1f8d9e+mpqz · deployed 2026-02-28 11:28 UTC · evaluated 2026-02-28 11:37:51 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.