Shortly after the announcement exmarket of Facebook's WhatsApp service, many have expressed their privacy concerns. Right after, subject matter experts better safetyς αποκάλυψαν αρκετά τρωτά σημεία, "που θα λάτρευε η NSA". Τα θέματα ασφαλείας εντοπίστηκαν από την Praetorian.
The security company discovered 4 vulnerabilities related to the protocol SSL. The researchers found that SSL pinning is not implemented. This allows an attacker to perform man-in-the-middle attacks and obtain the owner's credentials as well as other sensitive information.
The second issue is that support for SSL export ciphers is enabled. This allows an attacker to degrade encryption in 40-bit or 56-bit DES, making the system vulnerable to brute-force attacks.
In addition to supporting their export encryption algorithms, WhatsApp also supported null encryption algorithms.
"Με τα Null Ciphers να υποστηρίζονται, αν ο ιδιοκτήτης της εφαρμογής προσπαθήσει να επικοινωνήσει με το διακομιστή με χρησιμοποιώντας SSL και τα two parties do not support any common encryption, then the shipment data γίνεται σε μορφή απλού κείμενου. Η υποστήριξη των Null Ciphers δεν είναι κάτι που το συναντάμε συχνά, είναι πολύ σπάνιο" εξηγούν οι ειδικοί.
Finally, WhatsApp uses SSLv2 protocol support. This version has several vulnerabilities and experts recommend not to use it.
Shortly after the security company was notified, WhatsApp encountered three of the vulnerabilities. Praetorian has confirmed that vulnerabilities have been identified. The only thing left is the enforcement of SSL pinning, but WhatsApp said it would fix it immediately.
