Archive for WhatsApp

WhatsApp May Be Blocked In China

Posted in Commentary with tags , on July 19, 2017 by itnerd

The New York Times is reporting that popular messaging service WhatsApp appears t be blocked in China:

The blocks against WhatsApp originated with the government, according to a person familiar with the situation who declined to be named because they were not authorized to speak on the record about the disruption. Security experts also verified that the partial disruption in WhatsApp started with China’s internet filters.

“According to the analysis that we ran today on WhatsApp’s infrastructure, it seems that the Great Firewall is imposing censorship that selectively targets WhatsApp functionalities,” said Nadim Kobeissi, an applied cryptographer at Symbolic Software, a cryptography research start-up.

This isn’t trivial as WhatsApp has something in the area of 1.2 billion users worldwide. Thus this is going to get a lot of attention. The question is, will the Chinese government care about the blowback from this? We’ll have to watch and see.

Advertisements

WhatsApp & Telegram Flaw Allows Hijacking Of Accounts…. But Don’t Worry…It’s Fixed

Posted in Commentary with tags , on March 16, 2017 by itnerd

A flaw in in the web version of Telegram and WhatsApp has been discovered that via a specially crafted image, allows a hacker to hijack the account. The flaw was discovered by CheckPoint and here’s what you need to know:

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code.

The file can be modified to contain attractive content to raise the chances a user will open it. In WhatsApp, once the user clicks to open the image, the malicious file allows the attacker to access the local storage, where user data is stored. In Telegram, the user should click again to open a new tab, in order for the attacker to access local storage. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.

Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.

For those of you who are more visual, here’s a video of the pwnage in action:

 

The good news is that this is already fixed by both parties. And better yet, the phone app appears not to be affected. Still, I’d advise that users of either web app avoid opening suspicious files and links from unknown users and flush your browser cache every once in a while.

WhatsApp Now Has Two Step Verification

Posted in Commentary with tags on February 10, 2017 by itnerd

WhatsApp is rolling out a two-step verification feature starting today. This feature will allow users to securely verify their number with a custom-generated six-digit passcode whenever they install the app on a new device.

To enable this feature, do the following:

  • Open the app
  • Tap Settings
  • Tap Account
  • Tap Two-step verification
  • Tap Enable

You will then be asked if you want to enter your email address. This is used by WhatsApp to send a link via email to disable two-step verification in case the six-digit passcode is forgotten, and also to help safeguard the account. But to help you remember the passcode, you’ll be asked for it from time to time and you can’t opt out of that.

Security Researchers Call On The Guardian To Retract WhatsApp Story

Posted in Commentary with tags on January 20, 2017 by itnerd

You’ll recall that I posted a story that detailed a story from The Guardian on what it called a “backdoor” in WhatsApp. Some security researchers have called out The Guardian for what they concluded was irresponsible journalism and misleading story. Over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian’s report fell short, and also asking the publication to retract the story.

So, is this a backdoor or not? The lack of a definitive answer on this leaves users in limbo. Maybe both sides should work together to clear the air on this. And for bonus points, maybe Facebook who owns WhatsApp should get involved as well?

Backdoor Found In WhatsApp End To End Security

Posted in Commentary with tags on January 13, 2017 by itnerd

It seems that those who rely on the fact that popular messaging app WhatsApp appears to have a backdoor that could allow Facebook (who owns WhatsApp) to read messages as well as making it possible for the company to comply with court orders to make messages available to government bodies. Here’s what The Guardian reports:

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

This news is sure to send Facebook into full damage control mode as Facebook really pushes the end to end encryption feature of WhatsApp and that they can’t read your messages. It will be interesting to see how they respond to this (which they haven’t as I type this), and how WhatsApp users respond to this.

WhatsApp Rolling Out Free Encrypted Video Calling

Posted in Commentary with tags on November 15, 2016 by itnerd

In a move that will get a lot of attention, WhatsApp is rolling out it’s video calling feature that will be encrypted. The new video calling feature is rolling out on Android, iOS and Windows 10 Mobile. Here’s what the company said on a blog post that went up on Monday:

We’re introducing this feature because we know that sometimes voice and text just aren’t enough. There’s no substitute for watching your grandchild take her first steps, or seeing your daughter’s face while she’s studying abroad. And we want to make these features available to everyone, not just those who can afford the most expensive new phones or live in countries with the best cellular networks.

The reason why this will get a lot of attention is that it is going to take a direct shot at FaceTime from Apple and Skype from Microsoft. It will also get a lot of attention from law enforcement who tend not to be thrilled about anything that is online and encrypted since that takes away their ability to snoop.

If you’re a WhatsApp user and you haven’t seen this feature yet, it should appear in the coming days.

Surprise! FBI Is Worried By Encryption In Whatsapp

Posted in Commentary with tags on April 7, 2016 by itnerd

You’ll recall that I posted a story about Whatsapp implementing end to end encryption in the popular messaging app. I also had this to say:

It’s a safe bet that with this move some government (likely the US one) is going to go to Facebook to get some info and there is going to be an Apple vs. FBI type fight. I’m calling it now.

Well, the fight looks like it may be about to begin as the FBI has popped up to say this:

FBI General Counsel James Baker said in Washington on Tuesday that the decision by the Facebook-owned messaging platform to encrypt its global offerings “presents us with a significant problem” because criminals and terrorists could “get ideas.”

Speaking during an event hosted by the International Association of Privacy Professionals, the FBI’s top attorney said the increasing use of such encryption threatens the reach of law enforcement investigations.

“If the public does nothing, encryption like that will continue to roll out,” he said. “It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?”

I’d say that the public isn’t doing “nothing.” Instead, they via the methods of communication that they use are choosing privacy over letting a government have the ability to snoop at will. I think that’s called freedom. Something that the US apparently is in favor of. Or at least I thought they were. Now I do get that law enforcement might have reasons to get info to investigate something or stop something from happening. But bashing the encrypting of communications and devices I believe is not helpful.