Whatsapp flaw could reveal all your past conversations
Posted on 12 March 2014.
A new Whatsapp flaw that allows any other applications on your Android device to exfiltrate and decrypt past Whatsapp conversations has been discovered and revealed by security consultant Bas Bosschert.

"Facebook didn’t need to buy WhatsApp to read your chats," he says, and explains: "The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem."

The creator of a rogue application designed to do just that can hide what the app is really doing by showing a loading screen while the user is waiting for the app to start.

Whatsapp conversations have previously been stored in plain text, but newer versions of the app encrypt the databases storing them. Unfortunately, they are easily decrypted - Bosschert did it with a simple Python script, using the AES key he got from Whatsapp Xtract, a tool that backs up and displays Whatsapp chats on a computer.

Yes, Whatsapp apparently uses the same encryption code for every user.

The company has still not commented on the issue, but some users did, and have pointed out that the approach only works when the WhatsApp backup feature is used, and the feature is not turned on by default.

Whatsapp has issued an update for the app today, but it didn't fix the issue.


Email scammers stole $215M from businesses in 14 months

Posted on 29 January 2015.  |  In 14 months there have been nearly 1200 US and a little over 900 non-US victims of BEC scams, and the total money loss reached nearly $215 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Jan 30th