Facebook acquired the mobile messaging app WhatsApp for $19 billion in cash and stock on Wednesday. The acquisition was attractive for the social networking giant, but also to government spies and hackers, according to security researchers.
On Thursday, a report by Paul Jauregui, a researcher from the security firm Praetorian, points out major weaknesses behind WhatsApp’s implementation of secure socket layers (SSL), a protocol that is responsible for the encryption behind users’ communications.
The issue in question is why WhatsApp supports version two of SSL encryption. The older version of the protocol is susceptible to several well-known attacks that could allow a hacker to monitor a conversation between two endpoints, allowing them to view and even manipulate traffic as it passes. The attack is known as a “man-in-the-middle” attack, which allows the attacker to invisibly intercept data that is being transferred between two users, despite the SSL encryption.
The WhatsApp team has failed to implement a technique known as “certificate planning,” which is designed to block attacks that are using forged certificates, basically someone who is trying to pretend they are you.
Jauregui also points out two more deficiencies with the way WhatsApp implements SSL: The use of SSL null ciphers — essentially if the app’s encryption techniques do not match those of the server, the app will automatically switch to no encryption — and the enabling of SSL export ciphers. Both of these make it easier for attackers to ‘tap into’ the traffic as it moves between one end point to the other.
Other privacy issues come from the fact that WhatsApp has personal data from 450 million users and a leak of all that data would be very bad. Privacy researcher Runa Sandvik says:
With the acquisition of WhatsApp by Facebook, many start to wonder if the social network will combine its user data with that of WhatsApp, even though the company’s terms of service prevent any acquirer from doing so.
Praetorian’s Paul Jauregui wrote:
“This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk.”
In an interview, WhatsApp co-founder and CEO Jan Koum told Wired UK that:
“Nobody should have the right to eavesdrop, or you become a totalitarian state — the kind of state I escaped as a kid to come to this country where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history. They’re all on your phone.”
The latest security issue with WhatsApp is not the first, back in October 2013, a computer science student at Utrecht University in the Netherlands documented a critical encryption flaw that allowed adversaries to decrypt any message (voice or text) that was sent using WhatsApp.