This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

WhatsApp flaw leaves users open to spying

Share this article:

Global messaging service WhatsApp, now part of Facebook, has owned up to a security flaw which leaves it open to man-in-the-middle (MiTM) attacks.

Major privacy flaw found on WhatsApp
Major privacy flaw found on WhatsApp

The vulnerability was discovered recently by the US University of New Haven's Cyber Forensics Research & Education Group (UNHcFREG).

Researchers found that when WhatsApp users share their location data, it is left unencrypted and can be intercepted through a rogue access point or a man-in-the-middle attack. A video on how it's done using the NetworkMiner network sniffing tool running on Windows is available here.

Commenting on the problem in an April 19 blog post, Sophos senior security advisor Paul Ducklin said that this kind of flaw could be of interest to intelligence services.

He said: “We've written before about one group of ‘attackers' who happily make hay while mobile apps shine forth their data, namely the intelligence services. And we've written about how hard it is to judge whether special-purpose mobile apps - such as those for banking - should be considered safe to use at all. WhatsApp, sadly, yet again joins the list of mobile apps that simply didn't get it right.”

The UNHcFREG researchers advise users: “Do not share your location on WhatsApp until this issue is fixed.”

As for business security professionals, Ducklin believes the flaw should not present a problem. However, he told SCMagazineUK.com via email: “It's disconcerting to find that an app that makes big claims about privacy would give away information where you might reasonably expect it not to. One wonders why WhatsApp didn't just use public key cryptography over a secure connection - TLS, often known as HTTPS.”

WhatsApp is a popular mobile phone app that enables users to send text messages for free. The company was acquired by Facebook for around £11.3 billion ($19 billion) in February, and last month CEO Jan Koum blogged that “respect for its users' privacy is coded into our DNA”.

However, the location flaw is the latest in a series of privacy problems faced by the company.

Koum's blog was in response to accusations by two US privacy groups, the Electronic Privacy Information Center and the Center for Digital Democracy, that the Facebook takeover should be invalidated because WhatsApp's privacy policy was incompatible with that of the social networking giant.

Last month, SC UK also reported a flaw that enabled WhatsApp users' “private” messages to be intercepted through downloaded Android apps.

Ducklin at Sophos has also highlighted previous “security blunders” WhatsApp made in its attempts to use symmetric encryption and to knit its own session-based cryptography.

The company has said it will fix the location bug in the next release across its different mobile phone platforms, telling the UNHcFREG team when they reported the bug: "We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform.”

Security specialist Dan Drummond, a technical consultant with Apadmi, told SCMagazineUK.com that the problem “shows just how much care app developers need to take in what services apps use, and how they use them. Fortunately this time, this leakage of personal information only happens if a user actively shares their location, and users can stop using this feature until the problem is fixed.

“App users are becoming increasingly aware of privacy and security issues surrounding their personal data, and app developers are going to need to prove they can be trusted with users' sensitive data.”

SC contacted WhatsApp to ask when the fix would be released, but had not received a reply by time of writing.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Card and banking fraud back on the rise again

Card and banking fraud back on the rise ...

Banking and card fraud back on the rise again says the FFA UK as crime increasingly moves online.

Apple unveils iOS 8.0 - security from the ground upwards

Apple unveils iOS 8.0 - security from the ...

iOS 8.0 - 1.1GB large, but with Apple providing lots of security patches and upgrades...

eBay downplays significance of `old school' XSS attack on its auction portal

eBay downplays significance of `old school' XSS attack ...

eBay vulnerable to XSS attack enabling re-direction of users says BBC.