- Jan 24, 2011
- 9,378
An IT expert has uncovered another flaw in the popular messaging service WhatsApp. According to Netherlands based technical consultant Bas Bosschert, Android WhatsApp users are at risk of having their messages stolen.
Bosschert, who has more than a decade working in the field, said that it is very possible for developers to access chat history if the user isn't careful about which apps they download. By getting a user to install a malicious app, obviously disguised as something legitimate, the attacker can easily access his or her chat history from the back-ups WhatsApp makes on their device's SD card.
Described in detail on Bosschert's blog, code can be added to an Android game, for example, that would allow an attacker to stealthily extract WhatsApp data. Bosschert said the user would just see the game's load screen but they "wouldn't notice that their WhatsApp database has been uploaded" to the attacker's servers.
Previously, WhatsApp security was in question when computer science student Thijs Alkemade from the Netherlands said that ingoing and outgoing messages are encrypted with the same key. The issue being that this allows attackers to cancel out the key and easily recover the plain text data.
While Google specifically bans apps that collect info without the user's knowledge, as we all know this hasn't completely stopped other malicious software from appearing in the past. Users can avoid these kinds of apps by very carefully examining the permissions as well as ensuring the validity of the app's source before downloading and installing them.
Read more: http://www.techspot.com/news/55970-...dly-leaves-your-private-messages-at-risk.html
Bosschert, who has more than a decade working in the field, said that it is very possible for developers to access chat history if the user isn't careful about which apps they download. By getting a user to install a malicious app, obviously disguised as something legitimate, the attacker can easily access his or her chat history from the back-ups WhatsApp makes on their device's SD card.
Described in detail on Bosschert's blog, code can be added to an Android game, for example, that would allow an attacker to stealthily extract WhatsApp data. Bosschert said the user would just see the game's load screen but they "wouldn't notice that their WhatsApp database has been uploaded" to the attacker's servers.
Previously, WhatsApp security was in question when computer science student Thijs Alkemade from the Netherlands said that ingoing and outgoing messages are encrypted with the same key. The issue being that this allows attackers to cancel out the key and easily recover the plain text data.
While Google specifically bans apps that collect info without the user's knowledge, as we all know this hasn't completely stopped other malicious software from appearing in the past. Users can avoid these kinds of apps by very carefully examining the permissions as well as ensuring the validity of the app's source before downloading and installing them.
Read more: http://www.techspot.com/news/55970-...dly-leaves-your-private-messages-at-risk.html
