Earlier this year, news broke that a vulnerability in WhatsApp allowed a spyware tool to be injected into phones with a simple call that wouldn't need to be answered and also wouldn't leave any trace. The software was architected by a secretive Israeli firm called NSO Group, who is also behind the infamous Pegasus spyware, with a history of selling this kind of tools to governments and intelligence agencies.
A new report from Financial Times says the very same company who was essentially selling the keys to our digital lives has been touting new capabilities for its flagship spyware tool Pegasus to potential buyers. Where previously it was only able to harvest data from the phone's storage, apparently it can now steal a user's data from various accounts made on Apple, Microsoft, Facebook, Amazon, and Google's cloud services.
The spyware tool is said to have received a significant upgrade that allows it to access things like location history, archived messages, and other online data not synced on the phone. While it's not clear how exactly this is achieved, FT speculates that once Pegasus is on the target phone, it is able to essentially clone the authentication keys of services like Facebook Messenger and Google Drive and sync it with a surveillance server, where it can be then used to imitate the phone down to a tee, location included.
This isn't as benign as the Bluetooth vulnerability that was recently disclosed by Boston University engineers. While that one has an easy fix, the vulnerability exploited by the latest Pegasus iteration appears to be related to authentication techniques that are widely used in the industry.
NSO Group denied the accusations that it promoted mass surveillance tools, maintaining that its software is an important asset for responsible governments, but also didn't deny that Pegasus is able to extract data from cloud accounts.
All five companies have so far offered generic statements that they're not aware of any breach and that they're continually working on security. Apple did acknowledge the existence of tools capable of targeting a "small number" of devices, but the company doesn't believe they can be used on a large scale. That said, it should worry companies like Microsoft, who make a significant portion of their revenue from cloud services.
FT notes the documents they received offer a surprisingly simple fix to prevent Pegasus from being effective that only requires changing your app password.