Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

Gaping Security Flaw in WhatsApp on Android Let Other Apps Steal Your Messages

If you’re using WhatsApp on an Android – even after yesterday’s update – your chats are prone to being downloaded by others, a security consultant has discovered.  Bas Bosschert, CTO and consultant at Double Think, along with his brother, discovered this exploit after wondering if it would be possible to upload and read someone’s WhatsApp chats from another app. With a proof of concept on his blog, he proved it was easily possible.

The gist of Bosschert’s proof of concept was that after first creating a server with a simple PHP script to store the WhatsApp database, he then created a default app in Eclipse that, after adding extra permissions to access a user’s SD card and enabling it to upload chat histories to his server, masqueraded as an innocent app.

The Android platform differs from Apple’s iOS, which doesn’t allow access to data located beyond the apps own sandbox, thus preventing malicious events like the Android WhatsApp loophole from happening. Even so, any Apple user that’s been chatting with someone using WhatsApp on Android is just as prone to having that data obtained by a third party.

In truth, it’s more an Android security issue than a WhatsApp one, considering that most any app could be equally vulnerable to this exploit, but both parties need to step up and work towards preventing these gaping security holes. WhatsApp has had several security issues over the past year, including a flaw that allowed anyone the ability to access someone’s messages over insecure networks and the most recent issue with WhatsApp SSL encryption. In recent months, they have begun taking steps to better secure its users, implementing better encryption, among other things.

Bosschert, however, was able to decrypt the encrypted data with ease using a simple python script and said that it is also possible with a tool like WhatsApp Xtract. “We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases,” Bosschert noted.  Older versions of WhatsApp were so insecure that the chats were sent decrypted to the server.

The flaw that allows such a loophole to exist actually dates back to May of 2012, when WhatsApp Xtract was released, allowing easy decryption of messages. Bosschert summed up the loophole nicely, saying “Facebook didn’t need to buy WhatsApp to read your chats.” But considering they did purchase WhatsApp for a cool $19 billion, chances are there’s a fix on the way for the Android version. Until then, maybe try using a more secure messaging app.

How To Secure Your WhatsApp Chats On An Android Device:

To keep your chats safe from being stolen on your Android, make sure you have your chat backup turned off. You can check this by going into the app’s settings –> chat settings –> chat backup. If you didn’t select ‘no’ to auto-backup when you first downloaded the app, you’ll have to delete the app and re-download it, choosing to never backup your chats.

You can read the whole Proof of Concept on Bosschert’s blog here.

Jump to Category