We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

WhatsApp leaks Telephone numbers, conversations

UPDATE: WhatsApp hoax latest details

It's easy to eavesdrop on people using the popular mobile messenger WhatsApp. The application sends user names, telephone numbers and even complete instant messages unencrypted over the internet. Adversaries can intercept this information by using a simple network sniffer like the popular Wireshark [http://www.wireshark.org/]. See also: UPDATE: WhatsApp hoax latest details

A reader of the Dutch IDG publication Webwereld discovered this vulnerability [http://eva-quirinius.blogspot.com/2011/05/whatsapp-sends-contact-info-en-messages.html]. He was able to intercept all unencrypted traffic on a network and Webwereld was able to reproduce [http://webwereld.nl/nieuws/106723/whatsapp-lekt-06-nummers-en-chatberichten.html] his findings. At first sight, it looks like WhatsApp is using an SSL secured HTTPS connection to their servers. But this can be falsified on closer inspection. Although all usernames, telephone numbers and all instant messages are transferred via port 443, which is reserved for encrypted traffic, they are sent to WhatsApp's servers in plain text.

Because of this it's easy to ascertain private information by using a man-in-the-middle attack. The attack can only be carried out when a smartphone using WhatsApp is connected to an unsecured wireless network, like for instance WiFi hotspots offered at train stations or airports.

Adversaries could also setup a wifi access point with a common SSID of an unencrypted wireless network. This is know as an evil twin network [http://en.wikipedia.org/wiki/Evil%20twin%20%28wireless%20networks%29]. If the malicious user forwards the requests of the app to the internet, it's even easier to capture private information. People using only trusted or secured WiFi networks are probably less vulnerable to this attack.

In a statement, WhatsApp says that it "strongly believes in network freedom and privacy" of their users. The company is studying this issue closely but does not wish to comment at this time.

To the discoverer of the vulnerability the company tells a different story. In this comment, WhatsApp states it trusts on 3G and WiFi to protect the traffic. "We do not save or store address book data or your conversations, so there is nothing to encrypt," a spokeswoman said.

IDG UK Sites

Microsoft launches Office for Android: Check the system requirements first

IDG UK Sites

8 reasons you should start a blog

IDG UK Sites

Do we need to fight the government again over design and art education?

IDG UK Sites

Apple Watch release date & UK price rumours: Watch 'not confirmed' for April release in UK says...