WhatsApp Security Flaw Exposes Chat History to Third-Party Apps in Minutes

by Istvan Fekete on March 12, 2014

WhatsApp users on Android should be more careful when downloading apps to their phone. If they don’t pay attention and forget to read the app’s permissions carefully before installing the app, their chat history could end up in a stranger’s hands, according to an IT specialist based in the Netherlands.

The flaw was uncovered by Bas Bosschert, a technical consultant who has more than ten years of experience working with Linux and Unix. In a blog post published recently, he explained how developers can trick WhatsApp users into allowing access to their entire message database.

The problem appears to be connected with the location of the storage medium. WhatsApp backs up chats to the phone’s SD card, and although this is not a problem in itself, certain apps that can access this information if they are allowed to do so. The data can be uploaded to the developer’s Web server.

He goes on by detailing how to create such apps, and says that if the code shown in his screenshots were added to an Android game, it could be easily used to extract a WhatsApp user’s database.

“The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database (got key from Whatsapp Xtract).”

This isn’t the first time WhatsApp’s security flaws have made headlines, but it is only since Facebook acquired the startup for $19 billion that it has been attracted major attention. According to another computer science and mathematics student at Utrecht University in the Netherlands, WhatsApp’s ingoing and outgoing messages are encrypted using the same key, which means that if an attacker intercepts these messages, he can analyze them to cancel out the key and recover the plain text.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: