Security consultant and researcher Bas Bosschert has produced a proof-of-concept exploit that leverages a vulnerability in the popular WhatsApp messaging application that could allow an attacker to retrive private communications.
The vulnerability discovered by Bosschert and his team could allow data from any application that is allowed access to the mobile devices SD card to be extracted, including chats saved in a database from WhatsApp.
“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card,” wrote Bosschert. “And since majority of the people allows everything on their Android device, this is not much of a problem.”
Newer versions of WhatsApp do provide a level of encryption, but Bosschert noted that the effort is all but futile since the decryption key can be easily accessed from WhatsApp Xtract, which is designed to backup WhatsApp chats.
“Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script,” Bosschert. “This script converts the crypted database to a plain SQLite3 database (got key from Whatsapp Xtract).”
Last month, WhatsApp had to respond to problems with its SSL encryption that could have left users vunerable to man-in-the-middle (MitM) attacks and encryption downgrades. the company quickly patched the issues, but have thus far not responded to the new privacy vulnerabilities identified by Bosschert.
Read More Here…