Why WhatsApp isn't secure?
- Tanha Patel
- Jun 11, 2019
- 4 min read
Updated: Jun 15, 2019
The first thing I would like to say that WhatsApp is member of Facebook, one of the social media companies, and being frank Facebook itself has security and credibility issues. When we are creating our WhatsApp account then we agree with their privacy policy which includes collection, use, processing and sharing our personal information. Thus WhatsApp not only collects metadata but also it transfers that data to its different data centers globally. So we can say that WhatsApp replicates the data instead of just storing it in data centre located at Santa Clara.
WhatsApp says that the data is end-to-end encrypted (the message can only be decoded by sender’s and recipient’s device) but after the new update WhatsApp provides backups which creates flaws in data encryption. Data is encrypted till when they are on our local devices but for data backup services we have to use third party storage like iCloud or Google Drive for iOS and Android respectively. Thus you are agreeing terms and conditions of third party services, which increases data replication. Also the data stored is in decrypted form which leads anybody potentially read the messages from backup.
We know that WhatsApp messages are end-to-end encrypted so we can conclude that something outside this like status messages/images, profile photo, profile information, etc. are not end-to-end encrypted. I would also like to say that decryption of messages is difficult but not impossible, as the key generation is solid and the Open Whisper Systems AKA Signal Protocol employed by WhatsApp uses AES256 to create the message encryption and HMAC-SHA256 for message authentication.
A cybersecurity company stated that a flaw is discovered in Facebook owned WhatsApp. They stated that WhatsApp allows scammers to alter the content of messages as well as identity of sender. WhatsApp acknowledged that someone can alter the messages done using quote feature. (Quote feature is feature by which the user is allowed to reply to any past message.) But the owners of WhatsApp denied that is was a flaw.
Another thing is that the misinformation is spreading widely. Two most notable cases of spreading misinformation across the platform has been in India and Brazil. This information contains the messages regarding fake crimes like fabricated child abductions in India and about the deadly reactions due to vaccines for disease Jaundice (the yellow fever) in Brazil. Also it becomes the main source for spreading fake news throughout 2016 U.S. Presidential Campaign.
Oded vanunu, head of vulnerability research at Check Point stated that attackers can alter the quote messages from trusted source especially in group chats (maximum 256 participants), which seems like the message is done from user who is not the participant of the group. They got powerful tool to alter the messages after the quote feature.
WhatsApp acknowledged this flaw, adding that it is part of app’s design framework. The company takes the issue of flow of misinformation and done some notable changes. Like the label forwarded message for all the forwarded messages which awares the recipient’s that this is forwarded message. By limiting forwarding of messages up to 5 recipients instead of 250 forwards at the same time. For some regions the company removed the forwarding shortcut. Also ban’s the account which attempts to modify WhatsApp to engage spammy behaviour.
Other approach of vulnerability is using spear phishing attachments by masquerading as WhatsApp Web (a web client to use WhatsApp on computer). The attackers masquerades WhatsApp Web and asks for phone no. then use number to bombard you with spam and correlate with hacked data on internet. So it’s better to use the WhatsApp application and some other official and trusted sites.
Moreover, Citizen Lab, a watchdog group at University of Toronto is investigating the activities of Israeli security company NSO group. They stated that the Pegasus Spyware allows the attackers to remotely install surveillance malware by calling the targeted ones through WhatsApp audio calls even if the call is not answered. The victim can never come to know about the intrusion (installation) of such malware because spyware deletes the incoming call information from the logs.
Such malware is capable enough that it can access the victim’s data and also can control microphone and camera for activating and recording. Then they steal massive amount of data from victim’s smartphones. The data includes text messages, call details, emails, call records, camera, location, microphone, etc. This includes almost every kind of data which also included WHATSAPP MESSAGES. Sorry to yell, but this is how the messages can be stolen although they supports end-to-end encryption. This all can be done under eye of victim without his/her knowledge.
Facebook stated that this security breach is “A buffer overflow vulnerability”. Such security breach affects the WhatsApp VOIP (Voice Over Internet Protocol). The vulnerability stack allows the attackers to execute any arbitrary malware code on the targeted device. This is done by sending some specially crafted SRTP (Secure Real-Time Transfer Protocol) packets. The identified code CVE-2019-3568, can be used to install the malware on targeted device.
Buffer overflow is a specific type of program or code which gives the attackers unauthorized access to system storage through app, which should not be done. If attackers has knowledge to run such code in area of memory which is authorized then they can carry out the malicious and evil acts.
Facebook says: “This issue affects almost all the 1.5 billion users having WhatsApp with version prior to v2.19.134 for Android, version prior to v2.19.44 for Android (Business Account), version prior to v2.19.51 for iOS, version prior to v2.19.134 for Android, version prior to v2.19.51 for iOS (Business account), version prior to v2.18.348 for Windows, version prior to v2.18.15 for Tizen.”
As soon as WhatsApp engineers discovered the vulnerability alerted the Department of Justice of issue to encourage the WhatsApp users to update their app to the latest versions for security purpose. Thus, we can't believe WhatsApp's security as there are many flaws, especially for some secret and sensitive informations. Instead we should use gmails for such conversions.
Comments