Shortly after the announcement of the acquisition of the WhatsApp service by Facebook, many people expressed their concerns about the protection of their privacy. Soon after, security experts revealed quite a bit vulnerable points, "which the NSA would love." The security issues were identified by the Praetorian.
The security company discovered 4 vulnerabilities related to the SSL protocol. The researchers διαπίστωσαν ότι το SSL pinning δεν εφαρμόζεται. Αυτό επιτρέπει σε έναν εισβολέα να πραγματοποιήσει επιθέσεις man-in-the-middle και να αποκτήσει τα διαπιστευτήρια του ιδιοκτήτη καθώς και άλλες ευαίσθητες πληροφορίες.
The second issue is that support for SSL export ciphers is enabled. This allows an attacker to degrade encryption in 40-bit or 56-bit DES, making the system vulnerable to brute-force attacks.
In addition to supporting their export encryption algorithms, WhatsApp also supported null encryption algorithms.
"With Null Ciphers supported, if the application owner tries to communicate with the server using SSL and both parties do not support any common cipher, then the Mission data is in plain text format. The support of Null Ciphers is not something we come across often, it is very rare,” the experts explain.
Finally, WhatsApp uses SSLv2 protocol support. This version has several vulnerabilities and experts recommend not to use it.
Shortly after the security company was notified, WhatsApp encountered three of the vulnerabilities. Praetorian has confirmed that vulnerabilities have been identified. The only thing left is the enforcement of SSL pinning, but WhatsApp said it would fix it immediately.