Shortly after the announcement exmarket της υπηρεσίας WhatsApp από το Facebook, πάρα πολλοί εξέφρασαν τις ανησυχίες τους για την προστασία της ιδιωτικής τους ζωής. Αμέσως μετά, ειδικοί σε θέματα better safetyς αποκάλυψαν αρκετά vulnerabilities, "which the NSA would love." The security issues were identified by the Praetorian.
Η εταιρεία ασφαλείας ανακάλυψε 4 τρωτά σημεία που σχετίζονται με το πρωτόκολλο SSL. Οι ερευνητές διαπίστωσαν ότι το SSL pinning δεν εφαρμόζεται. Αυτό επιτρέπει σε έναν εισβολέα να πραγματοποιήσει επιθέσεις Man-in-the-middle και να αποκτήσει τα διαπιστευτήρια του ιδιοκτήτη καθώς και άλλες ευαίσθητες πληροφορίες.
The second issue is that support for SSL export ciphers is enabled. This allows an attacker to degrade the encryption to 40-bit or 56-bit DES, making the system vulnerable to brute-force attacks.
In addition to supporting their export encryption algorithms, WhatsApp also supported null encryption algorithms.
"With Null Ciphers supported, if the application owner tries to communicate with the server using SSL and both parties do not support any common cipher, then the Mission data is in plain text format. The support of Null Ciphers is not something we come across often, it is very rare,” the experts explain.
Finally, the WhatsApp application used SSLv2 protocol support. This n version έχει αρκετές vulnerabilities και οι ειδικοί συστήνουν να μην usestai.
Shortly after the security company was notified, WhatsApp encountered three of the vulnerabilities. Praetorian has confirmed that vulnerabilities have been identified. The only thing left is the enforcement of SSL pinning, but WhatsApp said it would fix it immediately.
