[+] Wayc0de's Blog[+]

13/03/14

Hackers can steal Whatsapp conversations due to Android security flaw

A SECURITY VULNERABILTIY in the Android mobile operating system has been discovered that can allow cyber criminals to steal conversations from users of mobile messaging service Whatsapp.
Discovered by Bas Bosschert, the CTO of startup company Doublethink, the flaw was detailed in a blog post in which Bosschert demonstrated the method for accessing Whatsapp chats. He confirmed that the vulnerability still exists even after Google updated the Whatsapp app just last week.
The exploit is possible due to the Whatsapp database on Android being saved on the SD card, which can be read by any Android application if the user allows it to access the card.
"And since majority of the people [allow] everything on their Android device, this is not much of a problem," Bosschert said, noting that this is an issue in the Android infrastructure, specifically a problem with Android's data sandboxing system, as opposed to a security flaw in Whatsapp.
From there, a malicious app could access the Whatsapp conversation database, Bosschert said, testing his method with a companion app that he built, which uses a loading screen to distract the user while the database files are being uploaded.
Bosschert said that he can even decrypt the database with his own script despite the Whatsapp application's attempts in its recent update to encrypt the database to the point where it can't be opened by SQLite.
"We can simply decrypt this database using a simple python script," Bosschert said. "This script converts the [encrypted] database to a plain SQLite3 database.
"So, we can conclude that every application can read the Whatsapp database and it is also possible to read the chats from the encrypted databases. Facebook didn't need to buy Whatsapp to read your chats."
The full step by step guide for how he hacked Whatsapp can be found in Bosschert's blog post.
Whatsapp added privacy features and the ability to pay for a friend's subscription when it updated its Android app on Monday.
The added privacy includes controls for users to hide when they were last seen, their profile photo and their status updates from prying eyes.
While these are not groundbreaking changes, releasing a privacy update likely will appease its user following Facebook's $19bn acquisition of the company that has sparked privacy fears among Whatsapp users. These concerns are ongoing, as privacy groups called for the FTC to investigate the buyout last week, saying that it represents a threat to privacy

Tidak ada komentar:

Posting Komentar