DNSS Inc – IT consulting and IT security services for small to mid-size businesses

Managed IT Services, IT Security Services, Vulnerability Management and Remediation, Help Desk Support, IT Maintenance Services, Network Administration, Business Continuity Planning, Disaster Recovery Planning, Onsite and Offsite Data Backup, and Information Security Assessment

WhatsApp Flaw Can Expose Private Communications | The State of Security

Security consultant and researcher Bas Bosschert has produced a proof-of-concept exploit that leverages a vulnerability in the popular WhatsApp messaging application that could allow an attacker to retrive private communications.

The vulnerability discovered by Bosschert and his team could allow data from any application that is allowed access to the mobile devices SD card to be extracted, including chats saved in a database from WhatsApp.

“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card,” wrote Bosschert. “And since majority of the people allows everything on their Android device, this is not much of a problem.”

Newer versions of WhatsApp do provide a level of encryption, but Bosschert noted that the effort is all but futile since the decryption key can be easily accessed from WhatsApp Xtract, which is designed to backup WhatsApp chats.

“Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite.  But we can simply decrypt this database using a simple python script,” Bosschert. “This script converts the crypted database to a plain SQLite3 database (got key from Whatsapp Xtract).”

Last month, WhatsApp had to respond to problems with its SSL encryption that could have left users vunerable to man-in-the-middle (MitM) attacks and encryption downgrades. the company quickly patched the issues, but have thus far not responded to the new privacy vulnerabilities identified by Bosschert.

via WhatsApp Flaw Can Expose Private Communications | The State of Security.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


This entry was posted on March 13, 2014 by in Blog and tagged .
%d bloggers like this: