WhatsApp security flaws back in the spotlight
By Gabey Goh September 20, 2012
- Security experts ask users to refrain from sharing sensitive information and surfing on public WiFi access points
- Company slammed for apparent lack of engagement with affected stakeholders over security issues
This is not the first time WhatsApp, which claims to deliver more than 1 billion messages a day worldwide, has hit the spotlight for its security flaws.
One of the first vulnerabilities was outed in May 2011 when an authentication flaw was found making it possible to register any phone number.
Security blogger Mathy Vanhoef in his post covering the messaging app’s bad security history also highlighted the company’s apparent lack of engagement with affected stakeholders over security issues.
“As a security researcher you don't know whether or not a vulnerability has been fixed. And as a user of WhatsApp you are never warned of potential problems!” he wrote.
One of the issues highlighted in the fileperms post was the lack of encryption for any messages sent through the WhatsApp service until August 2012.
“When using WhatsApp in a public WiFi network, anybody was able to sniff incoming and outgoing messages including file transfers,” the report stated.
Authentication issues were also highlighted, with fileperms highlighting how easy it is for someone with malicious intent to generate a user password across all supported operating systems, as well as getting the username, which is simply the mobile number tied to the account.
Privacy was also another area of concern, with fileperms pointing out that when WhatsApp starts it will “send all numbers from your phones address book to its servers to check which numbers are registered with WhatsApp.”
A research paper authored by Austria-based SBA Research entitled Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications also reported that it the phone number veriﬁcation process of WhatsApp "is fatally broken."
While WhatsApp may have the most high profile security issues given the platform’s popularity, it should be noted that nearly all mobile messaging applications contain security vulnerabilities.
The SBA Research report which covered nine such applications stated: “All identiﬁed ﬂaws stem from well-known software design and implementation errors. Although these vulnerabilities may not endanger human lives, they might have a severe impact on the privacy of millions of users.”
Caution and common sense
For concerned users wondering about whether to abandon the WhatsApp platform or mobile messaging applications altogether, security experts Digital News Asia spoke to said that a complete exodus was not necessary.
Jimmy Fong, channel sales director for Kaspersky Lab South-East Asia, said there is no reason to stop using the application.
“However, users should always be aware of vulnerabilities and always keep in mind that it remains a social networking platform and should not be used as a business communication channel or to send important or sensitive messages,” he said.
Echoing the same sentiment, Eugene Teo, manager of Security Response at Symantec, said that if there’s any doubt on security, users should assume that the information that they share may possibly become public eventually if a breach happens.
“In such a case, they should only share information which would not potentially be detrimental to themselves if exposed,” said Teo.
“We recommend that users remain cautious when selecting communication platforms or providers, and ensure that the platforms that they use are properly secured,” he added.
Teo said that if the information users want to share is of a private or sensitive nature, the information should be encrypted before transmission and users should use a platform that supports encryption to ensure that their confidential information is protected.
Goh Su Gim, F-Secure security advisor for Asia said users should be aware that WhatsApp currently has a weak encryption standard. “That does not means they should not use the application altogether; they should use it with care,” he said.
Goh cautioned users to refrain from using the app when surfing on public WiFi access points as any user on the same network are able to sniff the traffic through the air.
“This means unencrypted WhatsApp traffic can be sniffed and recorded. Hackers would also be able to steal information to decrypt the messages and could pose as the sender with the stolen information,” he said.
He added that it is also best practice to not send sensitive or confidential data such as credit card information or passwords that may be stolen for malicious activity such as fraud.