WhatsApp Flaw Opens Database Doors to Hackers Its not clear what value hackers might find in perusing the chats of WhatsApp users, but thats small comfort to those whod rather not expose their private conversations. An Android developer presented a proof of concept showing how the deed could be done, but theres no reason to believe that any thieves have penetrated the WhatsApp vault. It could mean a snag in Facebooks acquisition deal. An Android developers disclosure that its possible to hack into the WhatsApp database and read the text of the chats from another application could be a big headache for Facebook, which has agreed to purchase the app for US$19 billion. This is not a bug, but a design decision of WhatsApp, Bas Bosschert, chief technology officer of Double Think, told LinuxInsider. They selected for usability in their design, not security, he continued. I didnt find anything new -- I only showed how people could abuse this flaw with a working proof of concept. The flaw works if the database backup capability is enabled, which it apparently is by default, commenters on Bosscherts blog post said. Although WhatsApp had encrypted its database in February, that encryption is available only in new installations, and updates still use the old, unencrypted version, Bosschert remarked. Facebook and WhatsApp did not respond to our request to comment for this story. How the Hack Works The process seems straightforward -- Bosschert created a PHP script to store the database on a Web server, created an Eclipse project with some additional lines in the AndroidManifest.xml file, and grabbed the mststore.db and wa.db WhatsApp files, which are unencrypted. His application displayed a simple loading screen during that process so users wouldnt notice their WhatsApp database was being pilfered. The hack is possible because the WhatsApp database used to be written in SQLite3. Openssl apparently also could be used to hack the database. Although it appears WhatsApp encrypted the msgstore.db database using the .crypt utility, its still possible to read chats from the encrypted database by creating a simple Python script, which converts it to a plain SQLite 3 database. Keeping Chats Safe Bosschert obtained the databases AES key by using the WhatsApp Xtract tool published in the XDA Developers Forum. That key no longer works with the encrypted database, according to TiFlo Software, which claims its statistical app cracks the encryption. Given the nature of the WhatsApp use model, with backup enabled by default, you could argue that the hack is a key to a treasure house of information ... [but] I personally doubt it, Charles King, principal analyst at Pund-IT, told LinuxInsider. Given the size of WhatsApps user base and how popular the app is among young people, finding anything of value would likely be comparable to searching for a needle of enlightenment in digital haystacks of teenaged trivia, King continued. The Impact on Facebook The impact of the hack on Facebooks purchase of WhatsApp likely will be minimal at worst. It will take something like the Target hack, where millions of people lost their credit card information, to have an impact on the deal, Jim McGregor, founder and principal analyst at Tirias Research, told LinuxInsider. That will eventually happen as electronic wallets and other applications emerge, but for now its going to be another of those theres another issue, go fix it things for Facebook, which is a company thats known for sharing user information anyway. Still, users will be screwed if WhatsApp doesnt think of a backwards-compatible solution so existing databases can be converted to a secure implementation, Bosschert said. Given that competition in the chat apps market is keen and some WhatsApp users have fled to other apps like Viber in the wake of the Facebook purchase, perhaps the situation should not be taken too lightly.
Posted on: Thu, 13 Mar 2014 05:21:01 +0000
Trending Topics
Recently Viewed Topics
© 2015