Shortly after the announcement of the acquisition of WhatsApp service by Facebook, many people expressed their concerns about the protection of their privacy. Shortly afterwards, security experts revealed several vulnerabilities, "which the NSA would love." Security issues were identified by Praetorian.
The security company discovered 4 vulnerabilities associated with the SSL protocol. Researchers have found that SSL pinning is not applicable. This allows an attacker to perform man-in-the-middle attacks and obtain the owner's credentials as well as other sensitive information.
The second issue is that support for SSL export ciphers is enabled. This allows an attacker to degrade encryption in 40-bit or 56-bit DES, making the system vulnerable to brute-force attacks.
In addition to supporting their export encryption algorithms, WhatsApp also supported null encryption algorithms.
"With Null Ciphers supported, if the application owner tries to communicate with the server using SSL and both parties do not support any common encryption, then the data is sent in plain text. "Support for Null Ciphers is not something we often encounter, it is very rare," the experts explain.
Finally, WhatsApp uses SSLv2 protocol support. This version has several vulnerabilities and experts recommend not to use it.
Shortly after the security company was notified, WhatsApp encountered three of the vulnerabilities. Praetorian has confirmed that vulnerabilities have been identified. The only thing left is the enforcement of SSL pinning, but WhatsApp said it would fix it immediately.