{"id":46252,"date":"2024-12-23T16:35:18","date_gmt":"2024-12-23T21:35:18","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46252"},"modified":"2025-05-13T14:27:39","modified_gmt":"2025-05-13T18:27:39","slug":"whatsapp-v-nso-group","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/12\/23\/whatsapp-v-nso-group\/","title":{"rendered":"WhatsApp v. NSO Group"},"content":{"rendered":"

Reuters<\/a> (via Hacker News<\/a>, Court Listener<\/a>):<\/p>\n

U.S. judge ruled on Friday in favor of Meta Platforms’, WhatsApp in a lawsuit accusing Israel’s NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.<\/p>

[…]<\/p>

WhatsApp in 2019 sued NSO seeking an injunction and damages, accusing it of accessing WhatsApp servers without permission six months earlier to install the Pegasus software on victims’ mobile devices. The lawsuit alleged the intrusion allowed the surveillance of 1,400 people, including journalists, human rights activists and dissidents.<\/p><\/blockquote>\n\n

kdbg<\/a>:<\/p>\n

I’m not a lawyer so maybe I’m misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn’t really about holding NSO Group accountable for hacking journalists at all\nThe fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group “exceeded authorization” on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims.<\/p>

[…]<\/p>

Adding a little more detail that comes from the prior dockets and isn’t in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn’t be able to send. They use this fake client to send some messages that the original application wouldn’t be able to send which provide information about the target users’ device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.<\/p>

Think about that for a moment and what that can mean. I doubt I’m the only person here who has ever made an alternative client for something before.<\/p>

Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient.<\/p><\/blockquote>\n\n

I guess the vulnerabilities they exploited were in the operating systems, not in WhatsApp, but Apple withdrew its suit against NSO Group.<\/p>\n\n

See also: Nick Heer<\/a>.<\/p>\n\n

In other news about old lawsuits, I just received my small settlement checks from Peters v. Apple<\/a> and Equifax<\/a>.<\/p>\n\n

Previously:<\/p>\n