March 12, 2014
WhatsApp Vulnerability Exposed By Good Samaritan Hacker
Enid Burns for redOrbit.com - Your Universe Online
A Good Samaritan hacker has notified an app developer and the public of a vulnerability in the free messaging app WhatsApp that allows other app developers to access chat histories, rather than exploiting the flaw. Netherlands-based IT specialist Bas Bosschert offered details in a post on his blog, "Steal WhatsApp database (PoC)."
Bosschert and his brother were determined to answer the question "Is it possible to upload and read the WhatsApp from another Android application?" The short answer, "Yes, that is possible."
"The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem," Bosschert explains on his blog.
The vulnerability occurs when an app developer configures a php.ini file to upload large files and makes other modifications to the developer's app. WhatsApp has added encryption in recent versions of the app, though Bosschert claims it is still possible to read chats from the database.
This is accomplished with the user remaining unaware of the transaction.
When the nosy app is opened it will display a load screen or some sort of interstitial screen while the chat history database downloads. "So people think the application is doing something interesting in the background," Bosschert writes.
This is not the first time hackers have exposed a vulnerability in an app without taking advantage of it. In late December hackers posted details of a security flaw found in the Snapchat app that exposed the details of users' friend lists. The security firm that found the flaw notified Snapchat privately, and only posted about the security flaw after the app developer did not respond or correct the error. Days later hackers used the vulnerability to download (and post) 4.6 million usernames and phone numbers of Snapchat users.
WhatsApp, which was acquired by Facebook for $16 billion in February, has otherwise seen a few difficulties over the past few months. In December, the messaging service boasted over 400 million active users per month, which is one of the app developer's bright moments. While the volume of users was almost double Twitter's 230 million, it also puts a very large number of users on the line if the app is not secure. App security company Armor for Android last month warned that WhatsApp's 450 million users were vulnerable to malware.
The ability for apps to download chat histories is only the newest concern. Business Insider Australia reports that this is the newest in a string of security concerns for WhatsApp.
"Security concerns surrounding WhatsApp aren’t new, but have been attracting more attention since Facebook acquired the text messaging alternative last month. According to Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, WhatsApps’ ingoing and outgoing messages are encrypted with the same key. This means that if an attacker intercepts these messages, he or she can analyse them to cancel out the key and recover the plain text, Alkemade wrote in a blog post from October."
While it's not a direct concern about the privacy of WhatsApp, two privacy groups filed a complaint with the Federal Trade Commission last week. The Electronic Privacy Information Center and Center for Digital Democracy oppose the Facebook acquisition, saying it is unfair because the user expectation is that data would not be collected for advertising purposes.