This Week in Security: Encrypted Messaging, NSO’s Judgement, and AI CVE DDoS

WhatsApp has recently undergone a formal audit and the results show some minor areas of concern regarding cryptographic guarantees associated with adding a new user to a group. -TeleMessage, a Signal-compatible client that offered additional message archiving features, was used to compromise Signal communications of US government officials, highlighting the tension between the need for transparent archiving and the need for end-to-end encryption.
WhatsApp has also been in the news for winning a legal judgement against NSO Group for its Pegasus spyware, signaling a shift in the era ofNSO’s nearly unrestricted actions and actions of other “legal” spyware/malware vendors.
The human element continues to be the weak point in any cryptography scheme, with cryptocurrency being particularly vulnerable tosimple deception and social engineering.
Another concerning issue is the use of AI-generated vulnerability reports to flood open source projects with false leads.
Finally, this week saw a supply chain attack triggered against several hundred Magento e-commerce sites, and an update to the Ottokit WordPress plugin to fix a critical vulnerability, although it has yet to stop threat actors from attempting to use the exploit.

Fast Feed