Flaw leaves WhatsApp users open to spying

By on
Flaw leaves WhatsApp users open to spying

Latest in a line of bugs.

Global messaging service WhatsApp has owned up to a security flaw which leaves it open to man-in-the-middle (MiTM) attacks.

The vulnerability was discovered recently by the US University of New Haven's cyber forensics research and education group (UNHcFREG).

Researchers found that shared WhatsApp location data is left unencrypted and can be intercepted through a rogue access point or a man-in-the-middle attack. 

Sophos senior security advisor Paul Ducklin said in a blog post this kind of flaw could be of interest to intelligence services.

“We've written before about one group of ‘attackers' who happily make hay while mobile apps shine forth their data, namely the intelligence services," Ducklin wrote.

"And we've written about how hard it is to judge whether special-purpose mobile apps - such as those for banking - should be considered safe to use at all. WhatsApp, sadly, yet again joins the list of mobile apps that simply didn't get it right.”

The UNHcFREG researchers advised users not to share their location on WhatsApp until the issue is fixed.

Ducklin said it was disconcerting to "find that an app that makes big claims about privacy would give away information where you might reasonably expect it not to".

"One wonders why WhatsApp didn't just use public key cryptography over a secure connection - TLS, often known as HTTPS," he said.

WhatsApp is a popular mobile phone app that enables users to send text messages for free. The company was acquired by Facebook for around US$19 billion in February, and last month CEO Jan Koum blogged that “respect for its users' privacy is coded into our DNA”.

The location flaw is the latest in a series of privacy problems faced by the company.

Koum was forced to blog to respond to accusations by two US privacy groups, the Electronic Privacy Information Centre and the Center for Digital Democracy, that the Facebook takeover should be invalidated because WhatsApp's privacy policy was incompatible with that of the social networking giant.

Last month, a flaw that enabled WhatsApp users' “private” messages to be intercepted through downloaded Android apps was revealed.

Ducklin at Sophos has also highlighted previous “security blunders” WhatsApp had made in its attempts to use symmetric encryption and to knit its own session-based cryptography.

The company has said it will fix the location bug in the next release across its different mobile phone platforms.

"We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform," it told the researchers.

WhatsApp did not detail when the fix would be released by time of writing.

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition

Most Read Articles

Log In

  |  Forgot your password?