We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

WhatsApp leaks Telephone numbers, conversations

UPDATE: WhatsApp hoax latest details

It's easy to eavesdrop on people using the popular mobile messenger WhatsApp. The application sends user names, telephone numbers and even complete instant messages unencrypted over the internet. Adversaries can intercept this information by using a simple network sniffer like the popular Wireshark [http://www.wireshark.org/]. See also: UPDATE: WhatsApp hoax latest details

A reader of the Dutch IDG publication Webwereld discovered this vulnerability [http://eva-quirinius.blogspot.com/2011/05/whatsapp-sends-contact-info-en-messages.html]. He was able to intercept all unencrypted traffic on a network and Webwereld was able to reproduce [http://webwereld.nl/nieuws/106723/whatsapp-lekt-06-nummers-en-chatberichten.html] his findings. At first sight, it looks like WhatsApp is using an SSL secured HTTPS connection to their servers. But this can be falsified on closer inspection. Although all usernames, telephone numbers and all instant messages are transferred via port 443, which is reserved for encrypted traffic, they are sent to WhatsApp's servers in plain text.

Because of this it's easy to ascertain private information by using a man-in-the-middle attack. The attack can only be carried out when a smartphone using WhatsApp is connected to an unsecured wireless network, like for instance WiFi hotspots offered at train stations or airports.

Adversaries could also setup a wifi access point with a common SSID of an unencrypted wireless network. This is know as an evil twin network [http://en.wikipedia.org/wiki/Evil%20twin%20%28wireless%20networks%29]. If the malicious user forwards the requests of the app to the internet, it's even easier to capture private information. People using only trusted or secured WiFi networks are probably less vulnerable to this attack.

In a statement, WhatsApp says that it "strongly believes in network freedom and privacy" of their users. The company is studying this issue closely but does not wish to comment at this time.

To the discoverer of the vulnerability the company tells a different story. In this comment, WhatsApp states it trusts on 3G and WiFi to protect the traffic. "We do not save or store address book data or your conversations, so there is nothing to encrypt," a spokeswoman said.

IDG UK Sites

Android M / Android 6.0 UK release date and new feature rumours: Android M live video stream -...

IDG UK Sites

Why I think the Apple Watch sucks and you'd be mad to buy it

IDG UK Sites

Ben & Holly's Game of Thrones titles spoof is delightfully silly

IDG UK Sites

Jony Ive 'semi-retired' into new role: kicked upstairs as Chief Design Officer