Security experts raise flags over WhatsApp

Feb 22, 2014 by Rob Lever
Logo of WhatsApp, the popular messaging service bought by Facebook for US$19 billion, seen on a smartphone February 20, 2014 in New York

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp, which is to be acquired for $19 billion, says on its website that "communication between your phone and our server is fully encrypted."

The company warns users need to be aware that when they send messages, the recipient's device may not be secure. But it says it does not store any chat history and that messages are wiped off its system after delivery.

Yet researchers and others point out that there may be vulnerabilities in the system used by some 450 million people globally.

Paul Jauregui at the security firm Praetorian said in a blog post Thursday that WhatsApp security and encryption are not ideal, citing vulnerabilities in the way it handles SSL, the secure socket layer protocol for communications.

The group's mobile security test "picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers," Jauregui said.

"This is the kind of stuff the NSA (National Security Agency) would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk."

Jauregui noted that Praetorian would need authorization from Facebook and WhatsApp to do a more thorough security evaluation.

He added that it would be "not very difficult" to patch the security flaws.

The Facebook and WhatsApp applications' icons are displayed on a smartphone on February 20, 2014 in Rome

Serious Privacy Concerns

Meanwhile in Germany, the data commissioner in the state of Schleswig-Holstein, said in a statement this week the deal raises serious privacy concerns and that WhatsApp does not comply with European data protection rules.

The official, Thilo Weichert, said in a statement that people should opt out of WhatsApp for more "trusted services."

Last October, Dutch security researcher Thijs Alkemade posted a blog saying that the encryption can be circumvented, making it feasible "that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort."

WhatsApp did not respond to an AFP query on the security claims.

But some rival services say the Facebook-WhatsApp tie-up is likely to hurt confidence in the messaging app.

Nico Sell, co-founder of the security-focused app Wickr said it has seen "thousands more people than normal" downloading its app since Facebook's announcement.

"I think people will swap quickly out of WhatsApp now that it's part of Facebook," she told AFP.

Sell said Facebook's core business is monetizing data, while Wickr aims at protecting user anonymity and privacy, by using top-grade encryption and paying bounties to hackers who discover any .

'Tons of data vulnerable'

"They say they won't put ads on WhatsApp. But that doesn't mean they can't feed the beast with the data they are sitting on," she said. "There are tons of data that can be analyzed from conversations with your friends and family."

Sell said that in light of documents leaked about NSA surveillance in the past year, "people are becoming more aware of how easy it is to abuse your conversations and your data."

Serge Malenkovich at the security firm Kaspersky said however users should not panic over WhatsApp and Facebook.

"There are no new reasons to worry about messaging privacy," he said in a blog post.

"Honestly speaking, WhatsApp was never meant to be a true confidential messaging tool... confidential data shouldn't be sent unencrypted over standard communication channels, be it Facebook, WhatsApp or e-mail. Use dedicated security tools to protect your data from prying eyes."

But he said a bigger threat is scammers who send messages urging you to "confirm your WhatsApp account" or "opt out of Facebook ads inside WhatsApp."

"Those messages will definitely contain a malicious link and clicking on it may infect your device or lead you to a phishing page trying to steal personal data from you," Malenkovich said.

Explore further: WhatsApp: A $19 billion bet for Facebook

add to favorites email to friend print save as pdf

Related Stories

WhatsApp: A $19 billion bet for Facebook

Feb 20, 2014

Facebook is placing a $19 billion bet on reaching its next billion mobile users with the acquisition of WhatsApp, a popular messaging service that lets people send texts, photos and videos on their smartphones. ...

WhatsApp has everything Facebook needs to survive

Feb 21, 2014

Facebook has made a play for the mobile market by buying WhatsApp in what should be seen as a significant sign of the times. Desktop computing is the past and mobile access is the future. Facebook knows th ...

WhatsApp messaging breached privacy laws

Jan 28, 2013

WhatsApp's mobile messaging service used by hundreds of millions of customers worldwide breached privacy laws in at least two countries, a joint Canadian-Dutch probe concluded Monday.

Facebook mega-deal seen as brilliant strategic move

Feb 20, 2014

Facebook's deal for the red-hot mobile messaging service WhatsApp is a savvy strategic move for the world's biggest social network, even if the price tag is staggeringly high, analysts say. ...

Does WhatsApp deal show Facebook knows what's up?

Feb 20, 2014

If Facebook hopes to remain the social networking leader, CEO Mark Zuckerberg knows the company must follow the people. That realization compelled Zuckerberg to pay $19 billion for WhatsApp, a mobile messaging ...

Recommended for you

Health care site flagged in Heartbleed review

7 hours ago

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

JRi
5 / 5 (3) Feb 22, 2014
I think the worse is the fact that you must give WhatsApp all your friends' and relatives' telephone numbers and contact information when you sign in. Maybe even SMS conversations as well. That data is then propably sold to third party, whoever is willing to pay.
Anda
3 / 5 (2) Feb 22, 2014
I think the worst is the paranoia induced by "security" folks to make a living...
Gyrene251
not rated yet Feb 22, 2014
Never used it and never will. Should Facebook somehow incorporate this into the platform, this one user who will dump Facebook.
baudrunner
not rated yet Feb 22, 2014
Facebook already has a pretty good chat feature which even includes the ability to send images with the text. I really don't see why they bought into WhatsApp, unless there is some kind of money laundering scheme behind the transaction.

More news stories

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...