WhatsApp security vulnerabilities identified

WhatsApp Messenger is a cross-platform mobile messenger for text messaging using the existing Internet connection based on, for example 3G/EDGE or Wi-Fi. WhatsApp is available for different mobile platforms including the iPhone, BlackBerry, Android and Nokia Symbian60 phones. WhatsApp has been found to have three vulnerabilities applicable to the four mobile platforms mentioned above.

Updating a users’ status: WhatsApp confirmed today (6th Jan) that it had patched an issue that allowed a third-party website to update any users’ status message. A phone number and status message was all you would need to modify status messages on the service.

Registration bypass: WhatsApp was found to have a bruteforce vulnerability in the SMS registration process whereby it was easy to take over a user account and to read messages of other users and even send messages on their behalf. Devices could be registered with any phone number. The iMessages remote wipe story anyone?

XMPP (Extensible Messaging and Presence Protocol) traffic: the data on WhatsApp isn’t encrypted. BBM (BlackBerry) is encrypted and for good reason. This stops MITM attacks whereby someone could read and send/receive/modify messages. It isn’t certain whether this has been fixed nor when it might be.

XMPP traffic should be encrypted.Third-party messaging apps (including iOS iMessages) have been found to be very weak on securing their apps messaging data. App developers should remember that as much as traction is important, one security breach is enough to force users onto other competing platforms.

Safe surfing folks!


This entry was posted in android, apple, blackberry, mobile, windows and tagged , . Bookmark the permalink.

One Response to WhatsApp security vulnerabilities identified

  1. Liroy says:

    Just to clarify: It was not a brute force attack, it simply was a check that failed when spoofing sender data through txt message when there was no call credit on the verifying phone, which lead WhatsApp in believing you were the legitimate user of a phone number.

Leave a Reply

Your email address will not be published. Required fields are marked *