Ex-WhatsApp cybersecurity head says Meta endangered billions of users

Posted by mdhb 5 days ago

Ex-WhatsApp cybersecurity head says Meta endangered billions of users(www.theguardian.com)

347 points | 183 commentspage 3

mentalgear 5 days ago|

Seems just in line with all the other Meta Scandals: from providing a platform for genocide in Myanmar, harming the psychology of 100s of millions of teenagers (Instagram) to pushing extremist and fascists content while receiving big ad cash dollars for propaganda that lifts criminals and fascist politicians into the highest offices. Meta has no red lines, as long as it lines Zuckerberg's pockets.

xvector 5 days ago||

> WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.

So not messages.

haileyLlyod3 4 days ago||

[dead]

wordofx 5 days ago||

So much for that e2e encryption that HN claimed was so good and that META couldn’t possibly use what’s app messages to do advertising from.

alaq 5 days ago||

Messages are e2e and WA doesn't have access to them. We're talking about the metadata here.

From the article: > including contact information, IP addresses and profile photos

I can confirm this, I used to work at WhatsApp.

const_cast 4 days ago|||

> Messages are e2e and WA doesn't have access to them. We're talking about the metadata here.

You're still just blindly trusting this is the case. You can't verify the encryption or any of the code.

It would be trivial to actually encrypt the message and send it out and then store an unecrypted version locally and quietly exfiltrate it later.

They have to already be storing an unecrypted version locally, because you can see the messages. So unless your analyzing packets on the scale of months or years, you cannot possibly know that it isn't being exfiltrate at some point.

Take it a step further: put the extiltration behind a flag, and then when the NSA asks, turn on the flag for that person. Security researchers will never find it.

roelschroeven 5 days ago||||

We don't really know that messages really are end-to-end encrypted though, do we? Is there a way to actually check that the messages in transit are encrypted in a way that only the other end can decrypt them? If not, we have to take Meta's word for it, which frankly doesn't carry much weight.

varenc 4 days ago|||

Not trivially. But with painstaking reverse engineering you could prove this. And people have, so you're not exclusively just taking Meta's word. The fact that Pegasus malware relied on remote code execution vuln to run malware on your phone to extract WhatsApp messages, really suggests that the E2EE works. If it wasn't E2EE, then the makers of Pegasus could have just intercepted traffic to get your messages.

Academics have also reverse engineered it as well, and though there are some weakness it's not a lie that WhatsApp is E2EE. Here's some I just found:

- https://eprint.iacr.org/2025/794.pdf

- https://i.blackhat.com/USA-19/Wednesday/us-19-Zaikin-Reverse...

wordofx 4 days ago||

This does not prove that Meta does not have the ability to decrypt the messages.

varenc 4 days ago||

Eh, well painstaking reverse engineering is like having the source code, just 10000x more work. With that I feel like it should be possible to ensure this, or at least with some high level of confidence.

lioeters 5 days ago|||

How can we call it "E2E encryption" in any meaningful sense of the term when the ends run proprietary code, and at least one of the ends has proven themselves unworthy of trust time and again.

wordofx 5 days ago|||

Meta/WA. Same thing. Might have worked at WhatsApp but FB still advertises based on conversation content.

jonoc 5 days ago||

Not sure this is correct - alaq said the messages are e2e, so not visible at all by anyone other that the participants of the conversation. The meta->data<- however IS visible by them and can and is likely to be used for advertising.

another_twist 5 days ago||

Of course the meta data is visible. Its probably more useful than the actual content of the conversation too. I mean from an ML perspective how would you even make features out of conversation that help with CTR ? That too without creeping the users out. I'd imagine its the same reason why meta doesnt (likely) listen in on mobile mics. Why go through the whole shebang of running always on transcription when simple features like who talked to who and at what times are more useful at establishing user similarities.

jonoc 4 days ago||

I'm not making a stance on things, just clarifying the previous comment

tamimio 4 days ago||

HN isn’t monolith, I personally never said WhatsApp is good, and I’m telling you from now avoid Signal too till they remove the phone number requirement AND you can deploy your own server.

farceSpherule 5 days ago||

[flagged]

ath3nd 5 days ago||

Gang, who should we believe: a rando with 10 karma points who acts like he knows it all without any evidence or one of the last remaining journalistic institutions?

My man, Meta were caught torrenting/pirate books to train the garbage that is llama. Meta enabled a couple of genocides including the one in Myanmar. Meta suppressed reports on children safety (Washington Post probably is also activist journalism, right? https://www.washingtonpost.com/investigations/2025/09/08/met...).

We are not surprised at all that s company that has been consistently evil, is evil again.

wizzwizz4 5 days ago||

Facebook doesn't give me a straight answer, when I ask them questions about their policies, even when my questions aren't answered by their policies. The job of the privacy team within Facebook is not privacy: it's reducing liability.

farceSpherule 5 days ago||

You obviously do not or have never worked there.

wizzwizz4 5 days ago|||

Obviously not: if I had, I'd have inside contacts I could ask, instead of having to bother their public relations people to beg for scraps of intel about what they're doing with my information, while they act

I don't believe they've lied to me – I'm not so uncharitable as to assume their incorrect "it's written in the policy!" claims were deliberate lies –, but they're certainly not forthcoming.

inetknght 5 days ago|||

You obviously do not or have never paid attention to news about Meta's many and repeated moral, ethical, and legal violations.

That, or you have a vested interested in making sure that your stake in Meta does not depreciate in value.

fHr 5 days ago||

still use Facebook, Instagram and WhatsApp you sheeple

ath3nd 5 days ago||

What a trash company Meta has consistently been.

From enabling genocide in Myanmar, to interfering with elections, to giving user data to third parties in violation of its own daya policies, to straight up weird stuff like pirating/torrening books to train their steaming pile of garbage called llama, to having sex chatbots be weird to children.

And then there is the even weirder decisions of zuck, the biggest loser of all:

- VR didnt seem to catch on

- the metaverse is a giant smelly pile of poo and he sunk millions in it

- he is hiring AI engineers at absurd money in a rapidly cooling bubble market

- he immediately started ass kissing the orange stain that calls himself president

Is he purposefully trying to be a caricature cartoon vilain, a grotesque loser, and his company an emblem of evil? Or is it just cluelessness?

asadotzler 4 days ago||

>the metaverse is a giant smelly pile of poo and he sunk millions in it

He sunk tens of billions.

Estimates (because we don't have "Reality Labs" broken out before 2019) put Zuck's Metaverse Misadventure & Boondoggle about $75B in the hole ($10B revenue on $85B spend) with no signs of a turnaround in revenue.

There are plans to turn things around with AR spectacles but decent ones are years off and will require entirely new investment with little re-use of that $75B Metaverse nonsense (Oculus acquisition, 5 generations of Quest R&D, Horizon Worlds, partnered and sponsored games and content, etc.)

The only real ROI will be the experience and staff gained. The rest will almost certainly land in the dustbin.

globalnode 5 days ago||

They managed to tap in to a seemingly unlimited ocean of uninformed useful idiots, paid shills, bots and psychopaths. Its how you get rich in social media.

rhizome 5 days ago||

Greater Fool Theory

vladmk 5 days ago||

nothing new here.

daryl_martis 4 days ago||

Muck Feta

gnabgib 5 days ago|

Edit: Oof good catch (bad day for Meta)

mdhb 5 days ago|

This is unfortunately entirely seperate from that other article.

FTA:

> Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.

More comments...