X

Chat app used by activists has security flaws, say critics

Security bloggers are piling on with the criticism of WhatsApp, saying there are serious problems with how data is protected from prying eyes in the popular mobile IM software.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
This screenshot shows how the user's mobile phone number is being transferred in plaintext.
This screenshot shows how the user's mobile phone number is being transferred in plaintext. Fileperms

Several bloggers allege that the WhatsApp mobile chat program has weak security that puts users, which include human-rights activists, at risk.

In a series of posts on blogs and public Web pages, security and mobile researchers have been piling on the criticism of WhatsApp. Unfortunately, representatives of WhatsApp have not commented on the recent allegations, though criticism cropped up in May and even last year. WhatsApp did not respond to an e-mail from CNET seeking comment today. The company is unlisted in the San Francisco phone directory. We will update this post if we hear back.

The main complaints with WhatsApp are with the authentication and how it seems to be based on identification numbers associated with the devices. For example, the password for Android devices is based on an MD5 hash of the reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the IMEI.

That was followed by a blog post earlier this week from Italian security blogger Ezio Amodio, who discovered that the password for WhatsApp on the iPhone is generated using the MAC Address (Media Access Control Address) of the Wireless Local Area Network, which can be obtained by sniffing the network. "Paradoxically, because of the restrictions that Apple imposed (about retrieving of IMEI number), the authentication method for iOS devices is less secure than on Android devices," he writes. "The MAC address can be easily achieved on a Wi-Fi network."

And then came a post on the Fileperms blog by an unidentified blogger, who says the authentication is a "security nightmare," with passwords obscured using information based on identification numbers for the devices.

"If an iPhone user is on a public Wi-Fi (network) and someone is sniffing the data over the network they can log in to the account and hijack it," the security blogger, who said he is a computer science university student in Germany but declined to provide his name, told CNET today. "It's possible on Android, but it's more complicated."

His blog post also says the app leaks data collected off the device when it's being sent to servers. In addition, the post includes a link to a research paper that concludes that the local database storage encryption can be decrypted.

After the blog post went live, someone else posted a link to an anonymous Pastebin post signed by "Independent Security Analyst" that alleges that the encryption used for data transmission in WhatsApp is flawed. The Fileperms blogger says he does not know who did that research.

And the bloggers note that the username is the phone number, and that it's sent in plaintext.

"They tried to do the right thing, but they have made some mistakes," the Fileperms blogger told CNET in a phone interview. "I like their product, but it's just not secure."

Yet another blog post weighs in with the same conclusions. "In tests, heise Security found that, with the help of WhatsAPI, the PHP-based WhatsApp API, it was possible to take over both Android and iOS WhatsApp user accounts. And doing so was shockingly easy. All attackers have to do is to enter the phone number and MAC address or IMEI into a script and they are then able to send whatever messages they like from the compromised account. The sender is reported as the compromised user's phone number," the post says. "The script also offers a conversation mode which allowed heise Security to both send and receive messages. Sent messages are not visible on the account owner's phone and, as long as the script is running, neither are the responses received."

Given how popular the app is, any security issues could have serious consequences.

"There are lots of activists who use WhatsApp b/c they think it is a secure way to chat from mobile. They're so wrong," tweeted Christopher Soghoian, principal technologist and a senior policy analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union.

Soghoian also criticized WhatApp's privacy policy, specifically the section that begins: "WhatsApp uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to WhatsApp and you do so at your own risk."

"Paragraph on WhatsApp's 'Commitment To Data Security' in Privacy Policy should make a FTC deception case pretty easy," tweeted Soghoian, who was the first ever in-house technologist at the Federal Trade Commission's privacy and identity protection division, where he worked on investigations of Facebook, Twitter, and other Internet companies.