The Android version of WhatsApp, the cross-platform instant messaging app purchased by Facebook for $16 billion, has a loophole that leaves chat histories wide open to other apps installed on the same smartphone, a security consultant says.
Consultant, system administrator, and entrepreneur Bas Bosschert documented the vulnerability in a blog post published Tuesday. It includes proof-of-concept code a rogue app requires to stealthily upload the chat history to an attacker-controlled server and, when working with newer versions of WhatsApp, to decrypt the file. The exploit is premised on the victim installing a malicious app that contains a game or some other useful feature and in the background accessing the database WhatsApp stores on the secure digital (SD) card of an Android device.
"The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card," Bosschert wrote. "And since [the] majority of the people allows [sic] everything on their Android device, this is not much of a problem."
Android apps are frequently criticized for requiring a wide variety of permissions, including access to SD cards and Internet connectivity, to work at all. Even when databases are encrypted by newer versions of WhatsApp, they're easily decoded. Thanks to an open-source tool known as Xtract that streamlines the process of backing up WhatsApp chat histories, the decryption key is readily available. There's no indication that iOS or other versions of WhatsApp are vulnerable. Still, users of those platforms should be concerned if they chat with Android users, since exposed chat histories will contain all received messages regardless of the type of phone that was used to send them.
"So, we can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases," Bosschert wrote. "Facebook didn’t need to buy WhatsApp to read your chats."
Facebook has received plenty of scrutiny for its plans to acquire WhatsApp and its 450 million users. Critics' concerns about privacy aside, Facebook's stewardship may be the best thing to happen to WhatsApp, which has suffered a series of security embarrassments in the past year. Last month, Facebook developers released an open-source tool dubbed Conceal that provides a set of easy-to-use programming interfaces for securely storing sensitive app data on the SD cards of Android devices. Given Facebook's track record for producing secure code and services, there's a good chance that there are beta versions of WhatsApp that already fix the loophole Bosschert has reported.
reader comments
62