We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

WhatsApp leaks Telephone numbers, conversations

UPDATE: WhatsApp hoax latest details

It's easy to eavesdrop on people using the popular mobile messenger WhatsApp. The application sends user names, telephone numbers and even complete instant messages unencrypted over the internet. Adversaries can intercept this information by using a simple network sniffer like the popular Wireshark [http://www.wireshark.org/]. See also: UPDATE: WhatsApp hoax latest details

A reader of the Dutch IDG publication Webwereld discovered this vulnerability [http://eva-quirinius.blogspot.com/2011/05/whatsapp-sends-contact-info-en-messages.html]. He was able to intercept all unencrypted traffic on a network and Webwereld was able to reproduce [http://webwereld.nl/nieuws/106723/whatsapp-lekt-06-nummers-en-chatberichten.html] his findings. At first sight, it looks like WhatsApp is using an SSL secured HTTPS connection to their servers. But this can be falsified on closer inspection. Although all usernames, telephone numbers and all instant messages are transferred via port 443, which is reserved for encrypted traffic, they are sent to WhatsApp's servers in plain text.

Because of this it's easy to ascertain private information by using a man-in-the-middle attack. The attack can only be carried out when a smartphone using WhatsApp is connected to an unsecured wireless network, like for instance WiFi hotspots offered at train stations or airports.

Adversaries could also setup a wifi access point with a common SSID of an unencrypted wireless network. This is know as an evil twin network [http://en.wikipedia.org/wiki/Evil%20twin%20%28wireless%20networks%29]. If the malicious user forwards the requests of the app to the internet, it's even easier to capture private information. People using only trusted or secured WiFi networks are probably less vulnerable to this attack.

In a statement, WhatsApp says that it "strongly believes in network freedom and privacy" of their users. The company is studying this issue closely but does not wish to comment at this time.

To the discoverer of the vulnerability the company tells a different story. In this comment, WhatsApp states it trusts on 3G and WiFi to protect the traffic. "We do not save or store address book data or your conversations, so there is nothing to encrypt," a spokeswoman said.


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

2015 visual trends: 20 leading designers & artists reveal what should be inspiring us in 2015

IDG UK Sites

Mac tips tricks & hacks: 10 things you didn't know your Mac could do