In the ping-happy world in which we live, faster and better communication apps are always gaining popularity. One such title,WhatsApp, has found itself in the spotlight for bringingBBM-like messaging to any phone, all that you need to do is give it your phone number.
However, according to a number of reports from Spanish and Dutch-language websites, there is a security hole in the WhatsApp authentication process that allows your messages to be read by anyone with a prepaid phone and a WiFi connection.
The story appears to have first broken over onTweaker.netviaGeenStijl. Since the break, though, more details have been found. But starting from the beginning, here’s what we have been able to find and verify:
The problem is two-fold. First, even though WhatsApp uses port 443 (commonly used for encrypted traffic) the information sent over the port does not appear to have any sort of security attached. Second, once that information has been transmitted, it can easily be picked up by anyone who is scouring ports over public WiFi.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
What can happen should be fairly obvious, but just in case it’s not — Information sent to the programmed number can be intercepted, including voice, text and images. Worse yet, since the information comes from another number, that second number can be intercepted and then hijacked.
There is a method in place from WhatsApp to inform you when you’ve signed up for the service on a new device, unfortunately, it’s only sent to the newer of the two devices, so a hijacked user will not have a confirmation that their account has been compromised.
There is some potentially good news. According to a commenter onDutch-language site WebWereld, this attack shouldn’t be able to work as easily with the iPhone, but it can still be done via SMS spoofing on websites. However, the whole of the iPhone side is a bit damning as well.
According toblogger Rickey Gevers, the process is a bit more convoluted, but still easy to do. Even worse, Gevers says that WhatsApp in iOS doesn’t even use port 443, but rather port 5222. Why is this dangerous? Because it’s a normal traffic port used by applications that utilize XMPP. Not familiar with XMPP? It’s used by a number of applications such as Google Talk and even Livefyre, our commenting system here on TNW.
We, as well as many other sites, have contacted WhatsApp. We’ll update this story with any more information that we find, but there have not been any replies as of the time of this writing.
Story byBrad McCarty
A music and tech junkie who calls Nashville home, Brad is the Director TNW Academy. You can follow him on Twitter @BradMcCarty.(show all)A music and tech junkie who calls Nashville home, Brad is the DirectorTNW Academy. You can follow him on Twitter@BradMcCarty.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
