prev next

WhatsApp security flaws put on display by third party app.

Posted on 5/04/2012 by A.A.I






Having several  hundreds of thousands of downloads in the Google Play store alone and being available on iPhone, Nokia, Blackberry and Windows Phone devices as well. You'd think that WhatsApp would take it's users security fairly seriously. As it turns out that may not be the case. Recently a third party app called Whatsappsniffer entered the Play store.  This app allows anyone on the same WIFI network to pull your entire conversations from the network.  This includes messages, pics, videos, and coordinates. 

The app's purpose seems to actually not be completely malicious. "This application is designed to demonstrate that the security of WhatsApp's communications is null. WhatsAppsniffer just use the TCPDump program which reads all the WIFI networkk packets and filters those which has origin or destinations at WhatsApp's severs. All messages are in plain text, so it does not decrypt anything, complying fully with the legal terms of Whatsapp..."      

For those that didn't catch that, WhatsApp sends  messages from your device to it's servers in plain text. Where it is then redirected to the chosen recipient....in plain text. Meaning that in the event that someone did get their hands on your conversation (which apparently works even on secured networks) they don't even have to trouble themselves with decrypting the data. They can just browse through it. The app separates conversations by phone numbers so it's not just the conversation that has been compromised but your number as well.  And to  make matters worse WhatsAPP has known about this issue since May 2011, when other blogs began to report the issue.   And apparently this isn't the beginning of WhatsApps security issues. 




Whatsappsniffer is basically just a packet sniffer and requires root access to use.  But it makes the act of packet sniffing so easy that anyone with root access could  utilize this exploit, even if they didn't understand how it works. Granted those with root access are among those likely to fully understand this security flaw.  
We've seen acts like this in the past, where security holes and exploits are put on display to urge the company or organization to address them.  And in light of Whatsapp being more than a little slow to address the problem hopefully this app and the coverage it's getting will push them to act. 

WhatAppSniffer it's self has been removed from the play market.  At this time we'll have to wait and see if WhatsApp addresses the issue. If you're a WhatsApp user Does this security flaw concern you?





1 comment:

  1. Not only that, now there is another security flaw according to The DNetWorks, check this out, it uses IMEI as password http://thednetworks.com/2012/09/09/whatsapp-imei-password-md5-inverted-hack/

    ReplyDelete

Related Posts with Thumbnails