A security consultant has uncovered a security hole in WhatsApp, the instant messaging platform recently acquired by Facebook. The flaw can be leveraged to gain access to the private chats of Android device owners.
Many people are concerned with the privacy implications that come with Facebook’s acquisition of WhatsApp. However, as Bas Bosschert, the man who identified the vulnerability, highlights, Facebook didn’t need to buy the company if all it wanted to do was read users’ chats.
The expert has found that any Android app that’s allowed access to the SD card installed on the device can easily access private conversations.
All chats are saved in a database file (msgstore.db) that’s stored on the SD card. Bosschert has developed a proof-of-concept which demonstrates that any app that’s granted permission to access the card can easily retrieve the database and upload it to a remote server.
According to Bosschert, in newer versions of WhatsApp, the database file is encrypted. However, this doesn’t mean that users’ private chats are secure. It simply means that an attacker would have to decrypt the database file to gain access to its contents.
The decryption key can be found in WhatsApp Xtract, an app that allows users to create backups of WhatsApp conversations.
The POC developed by the expert is designed so that when the database is retrieved, the victim only sees a simple loading screen. Cybercriminals could combine the data-stealing code with a popular application to harvest a large number of databases.
I’ve reached out to WhatsApp to see if they plan on doing anything about the issue. This post will be updated if they respond to my inquiry.
In February, security researchers from Praetorian revealed finding a number of SSL-related vulnerabilities in WhatsApp. Most of them were fixed almost immediately by the company.