Well, lots going on here. My take:— Alex Stamos (@alexstamos) January 24, 2020
1) We don’t know that MBS hacked Bezos at all. The FTI report is deficient in several important ways.
2) WhatsApp has had multiple flaws that allow for remote code execution. Such a flaw in mp4 parsing existed at the relevant time. https://t.co/vuoSCb2vKO
3) Clegg is right that WhatsApp messages are end-to-end encrypted, he’s just applying that fact to the wrong issue.— Alex Stamos (@alexstamos) January 24, 2020
4) My understanding is that a full-screen play of an mp4 in WhatsApp uses the OS codec, so this could also be an iOS flaw delivered over WhatsApp.
5) Even if there was an attack via WA, there was also a local privilege escalation in iOS to allow this to happen. Those bugs are too numerous to list.— Alex Stamos (@alexstamos) January 24, 2020
6) Once again, we don’t know if this happened at all. The media should not assume it did when asking questions.
7) The circumstantial evidence that Bezos was hacked does not point to any specific company’s tool chain. Asking about NSO was not warranted.— Alex Stamos (@alexstamos) January 24, 2020
8) Nick needs some better staff briefings on this issue. Not reasonable to expect him to have this expertise.
Footnotes— Alex Stamos (@alexstamos) January 24, 2020
WSJ story on deficiencies in FTI’s report:https://t.co/tWcO5KPHXu
Possibly relevant WhatsApp bug: https://t.co/3x3ZIaTo6b
 Apple security updateshttps://t.co/UJjQpBCkBB
HT to @emilybell and @moltke