WhatsApp leaks Telephone numbers, conversations
It’s easy to eavesdrop on people using the popular mobile messenger WhatsApp. The application sends user names, telephone numbers and even complete instant messages unencrypted over the internet. Adversaries can intercept this information by using a simple network sniffer like the popular Wireshark.
A reader of the Dutch IDG publication Webwereld discovered this vulnerability. He was able to intercept all unencrypted traffic on a network and Webwereld was able to reproduce his findings. At first sight, it looks like WhatsApp is using an SSL secured HTTPS connection to their servers. But this can be falsified on closer inspection. Although all usernames, telephone numbers and all instant messages are transferred via port 443, which is reserved for encrypted traffic, they are sent to WhatsApp’s servers in plain text.
Because of this it’s easy to ascertain private information by using a man-in-the-middle attack. The attack can only be carried out when a smartphone using WhatsApp is connected to an unsecured wireless network, like for instance WiFi hotspots offered at train stations or airports.
Adversaries could also setup a wifi access point with a common SSID of an unencrypted wireless network. This is know as an evil twin network. If the malicious user forwards the requests of the app to the internet, it’s even easier to capture private information. People using only trusted or secured WiFi networks are probably less vulnerable to this attack.
In a statement, WhatsApp says that it “strongly believes in network freedom and privacy” of their users. The company is studying this issue closely but does not wish to comment at this time.
To the discoverer of the vulnerability the company tells a different story. In this comment, WhatsApp states it trusts on 3G and WiFi to protect the traffic. “We do not save or store address book data or your conversations, so there is nothing to encrypt,” a spokeswoman said.
By on 27/05/2011