Archive for WhatsApp

WhatsApp & Telegram Flaw Allows Hijacking Of Accounts…. But Don’t Worry…It’s Fixed

Posted in Commentary with tags , on March 16, 2017 by itnerd

A flaw in in the web version of Telegram and WhatsApp has been discovered that via a specially crafted image, allows a hacker to hijack the account. The flaw was discovered by CheckPoint and here’s what you need to know:

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code.

The file can be modified to contain attractive content to raise the chances a user will open it. In WhatsApp, once the user clicks to open the image, the malicious file allows the attacker to access the local storage, where user data is stored. In Telegram, the user should click again to open a new tab, in order for the attacker to access local storage. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.

Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.

For those of you who are more visual, here’s a video of the pwnage in action:

 

The good news is that this is already fixed by both parties. And better yet, the phone app appears not to be affected. Still, I’d advise that users of either web app avoid opening suspicious files and links from unknown users and flush your browser cache every once in a while.

Advertisements

WhatsApp Now Has Two Step Verification

Posted in Commentary with tags on February 10, 2017 by itnerd

WhatsApp is rolling out a two-step verification feature starting today. This feature will allow users to securely verify their number with a custom-generated six-digit passcode whenever they install the app on a new device.

To enable this feature, do the following:

  • Open the app
  • Tap Settings
  • Tap Account
  • Tap Two-step verification
  • Tap Enable

You will then be asked if you want to enter your email address. This is used by WhatsApp to send a link via email to disable two-step verification in case the six-digit passcode is forgotten, and also to help safeguard the account. But to help you remember the passcode, you’ll be asked for it from time to time and you can’t opt out of that.

Security Researchers Call On The Guardian To Retract WhatsApp Story

Posted in Commentary with tags on January 20, 2017 by itnerd

You’ll recall that I posted a story that detailed a story from The Guardian on what it called a “backdoor” in WhatsApp. Some security researchers have called out The Guardian for what they concluded was irresponsible journalism and misleading story. Over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian’s report fell short, and also asking the publication to retract the story.

So, is this a backdoor or not? The lack of a definitive answer on this leaves users in limbo. Maybe both sides should work together to clear the air on this. And for bonus points, maybe Facebook who owns WhatsApp should get involved as well?

Backdoor Found In WhatsApp End To End Security

Posted in Commentary with tags on January 13, 2017 by itnerd

It seems that those who rely on the fact that popular messaging app WhatsApp appears to have a backdoor that could allow Facebook (who owns WhatsApp) to read messages as well as making it possible for the company to comply with court orders to make messages available to government bodies. Here’s what The Guardian reports:

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

This news is sure to send Facebook into full damage control mode as Facebook really pushes the end to end encryption feature of WhatsApp and that they can’t read your messages. It will be interesting to see how they respond to this (which they haven’t as I type this), and how WhatsApp users respond to this.

WhatsApp Rolling Out Free Encrypted Video Calling

Posted in Commentary with tags on November 15, 2016 by itnerd

In a move that will get a lot of attention, WhatsApp is rolling out it’s video calling feature that will be encrypted. The new video calling feature is rolling out on Android, iOS and Windows 10 Mobile. Here’s what the company said on a blog post that went up on Monday:

We’re introducing this feature because we know that sometimes voice and text just aren’t enough. There’s no substitute for watching your grandchild take her first steps, or seeing your daughter’s face while she’s studying abroad. And we want to make these features available to everyone, not just those who can afford the most expensive new phones or live in countries with the best cellular networks.

The reason why this will get a lot of attention is that it is going to take a direct shot at FaceTime from Apple and Skype from Microsoft. It will also get a lot of attention from law enforcement who tend not to be thrilled about anything that is online and encrypted since that takes away their ability to snoop.

If you’re a WhatsApp user and you haven’t seen this feature yet, it should appear in the coming days.

Surprise! FBI Is Worried By Encryption In Whatsapp

Posted in Commentary with tags on April 7, 2016 by itnerd

You’ll recall that I posted a story about Whatsapp implementing end to end encryption in the popular messaging app. I also had this to say:

It’s a safe bet that with this move some government (likely the US one) is going to go to Facebook to get some info and there is going to be an Apple vs. FBI type fight. I’m calling it now.

Well, the fight looks like it may be about to begin as the FBI has popped up to say this:

FBI General Counsel James Baker said in Washington on Tuesday that the decision by the Facebook-owned messaging platform to encrypt its global offerings “presents us with a significant problem” because criminals and terrorists could “get ideas.”

Speaking during an event hosted by the International Association of Privacy Professionals, the FBI’s top attorney said the increasing use of such encryption threatens the reach of law enforcement investigations.

“If the public does nothing, encryption like that will continue to roll out,” he said. “It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?”

I’d say that the public isn’t doing “nothing.” Instead, they via the methods of communication that they use are choosing privacy over letting a government have the ability to snoop at will. I think that’s called freedom. Something that the US apparently is in favor of. Or at least I thought they were. Now I do get that law enforcement might have reasons to get info to investigate something or stop something from happening. But bashing the encrypting of communications and devices I believe is not helpful.

Whatsapp Encrypts Conversations From End To End

Posted in Commentary with tags on April 5, 2016 by itnerd

In a move that is sure to annoy the FBI, Facebook owned Whatsapp via a update to their apps now do end to end encryption. This means that not only is WhatsApp unable to access the data generated by its users, but nobody else can either. Here’s what a blog entry on the topic said:

The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.

If you’re interested in learning more about how end-to-end encryption works, you can read about it here. But all you need to know is that end-to-end encrypted messages can only be read by the recipients you intend. And if you’re using the latest version of WhatsApp, you don’t have to do a thing to encrypt your messages: end-to-end encryption is on by default and all the time.

It’s a safe bet that with this move some government (likely the US one) is going to go to Facebook to get some info and there is going to be an Apple vs. FBI type fight. I’m calling it now.