Shortly after the announcement of the acquisition of WhatsApp service by Facebook, many people expressed their concerns about the protection of their privacy. Shortly afterwards, security experts revealed several vulnerabilities, "which the NSA would love." Security issues were identified by Praetorian.
The security company discovered 4 vulnerabilities related to the SSL protocol. The researchers found that SSL pinning is not implemented. This allows an attacker to perform attacks man-in-the-middle and obtain the owner's credentials as well as other sensitive ones information.
The second issue is that support for SSL export ciphers is enabled. This allows an attacker to downgrade the encryption to 40-bit or 56-bit DES, making system vulnerable to attack brute-force.
In addition to supporting export encryption algorithms, the application WhatsApp also supported null encryption algorithms.
"With Null Ciphers supported, if the application owner tries to communicate with the server using SSL and both parties do not support any common encryption, then the data is sent in plain text. "Support for Null Ciphers is not something we often encounter, it is very rare," the experts explain.
Finally, WhatsApp uses SSLv2 protocol support. This version has several vulnerabilities and experts recommend not to use it.
Shortly after the security company was notified, WhatsApp encountered three of the vulnerabilities. Praetorian has confirmed that vulnerabilities have been identified. The only thing left is the enforcement of SSL pinning, but WhatsApp said it would fix it immediately.
