Meta Whistleblower Says 1,500 Engineers Have Access to WhatsApp Data

The former Head of Security for WhatsApp, Attaullah Baig, has filed a retaliation lawsuit against Meta for firing him after he tried to improve security at WhatsApp.

Through this lawsuit we find that big tech companies, although extremely professional on the surface, have security that’s falling apart behind the scenes—almost as if by design.

Intro

Although WhatsApp countered the suit, saying Baig was let go for poor performance, we find that Baig has an accomplished career in technology. He designed cybersecurity for PayPal and Capital One and was a previous CTO.

His stint at WhatsApp began in January 2021, as a promising candidate who excelled in the five-week Meta bootcamp for new hires. At this bootcamp, he was recruited to join WhatsApp as Head of Security, which he began in February.

He was surprised to find that WhatsApp only just recently created a cybersecurity team in response to the 2019 Amnesty International report on the Pegasus spyware, including how WhatsApp was used as an attack vector.

You may recall that Pegasus can be used to silently take over a victim’s phone and have complete visibility into all communications—all without needing the user to click on anything.

There are versions of Pegasus that are ‘zero-click’; the attackers don’t need the victim to perform an action to take over the phone. Simply having WhatsApp installed and active is enough to be vulnerable.

Even last month, WhatsApp patched one of these ‘zero-click’ exploits targeting macOS and iOS—however, they may have known about them for years, as Baig uncovered.

Insider Investigation

With this new focus on security in 2021, Baig set himself up to work, first by attempting to understand what data WhatsApp actually collected.

He was astonished to find that no one actually knew the extent of the data that was collected, nor was it documented anywhere. Through ‘red-teaming,’ or simulating real attacks on WhatsApp infrastructure, Baig and his team discovered that 1,500 engineers at Meta (not just WhatsApp) had production access to data and could move or steal WhatsApp user data. This includes things such as address books and the contact information of friends.

The security team at this time was six people. Baig found that, even as head of security, he wasn’t able to increase the size to more than 10 people.

He also found that WhatsApp engineers were rarely working on anything meaningful. Many were creating busywork for themselves, breaking and refixing features thousands of times per year to qualify for promotions.

In his efforts to improve security, Baig wanted to do the following reasonable things:

• logging access to user data
• creating an inventory of data stored
• creating a map of the infrastructure that stored data

All simple, reasonable things that should have been ‘easy’ to do.

But Baig found he was railroaded by his managers at every step, downplaying the issues and preventing any real action.

After some time like this, Baig was forced to present his findings to senior leadership.

On September 8th, 2022, Baig shared an agenda of a meeting that was to be held with WhatsApp leadership. In this agenda, he wrote that WhatsApp may be in violation of its FTC order.

This 2019 FTC complaint alleged that Meta had violated their privacy order and lied about third-party access to user data. Meta settled this complaint, and paid $5B—the largest ever fine for a technology company.

Retaliation

This meeting is where things took a turn for the worse. Baig states he was micro-managed and constantly critiqued from this point on—his manager booked regular meetings with him and he was marked as ‘needs improvement.’

Despite this, Baig developed a plan to protect WhatsApp users from ‘profile scraping,’ which allows third-party accounts to pull information off of public WhatsApp profiles. This even enables third parties like chatwatch.com to detect whether two people are talking to each other on WhatsApp, simply by being online at the same time.

Baig fixed this on his own in 2022 without any support, while leadership continued to dismiss privacy issues, as this would affect WhatsApp’s user growth.

Baig saw that WhatsApp and Meta functioned as a cult, where leadership direction was not to be challenged, even if it meant the company was lying to officials and the public.

It’s companies like WhatsApp, with corrupted political structure and backwards incentives, that we entrust our most personal data to, not knowing the gates have been left open on the other side.

We’re reminded once again that big tech companies put user growth and profits over people’s privacy, and have no problem lying to their users and customers.

Is this gross incompetence, or is it failure by design?

We choose to celebrate Attalluah and his efforts despite company abuse and all those working within companies attempting to improve user privacy.

This is a segment from #TBOT Show Episode 14. Watch the full episode here!

Are you ready for a phone that respects you?

Enjoy private app stores, secure web browsing and communication, download videos to your phone, help the community with apps like StreetComplete, and so much more.

🔥 And best of all, there’s zero connections to big tech!