The recent acquisition of WhatsApp by Facebook has done much to discuss, ever a price so high was paid for an app, but major concerns relate to users’ privacy. The security consultant Bas Bosschert recently identified a vulnerability in WhatsApp that could be exploited to gain access to the private chats by Android device users.
The security expert has discovered that any Android app that’s allowed access to the SD card installed on the handset can be exploited to access private conversations. In his blog post titled “Steal WhatsApp database (PoC)” Bosschert explained that all user’s chat on Android devices are stored in a database file (msgstore.db) on the SD card, he has also developed a proof-of-concept which demonstrates that any app that’s granted permission to access the card can easily access the database and steal it, for example uploading the file to a remote server. The WhatsApp database is a SQLite3 archive, which can be easily converted to Excel.
“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since the majority of the people allows everything on their Android device, this is not much of a problem.”
Bosschert has evidenced that in newer versions of WhatsApp, the database file msgstore.db is encrypted and this implies that the attackers have to decrypt it to access users’s private chats of Android. Decrypt the database is not a problem because the decryption key can be found in WhatsApp Xtract, another mobile app designed to allow users to create backups of WhatsApp conversations.
“In newer versions WhatsApp decided to do some crypto magic on their database (msgstore.db.crypt), so it is more secure. It is still possible to read chats from this database, but more on that later. The msgstore.db and wa.db are the old unencrypted databases of WhatsApp.” states the researcher. “Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database (got key from Whatsapp Xtract).” he added.
In the Bosschert’s POC during the database theft, the victim only sees a simple loading screen, the researcher reminds us that cybercriminals could combine the data-stealing code with a popular application, like a viral game, to harvest a large number of databases.
“By doing the magic in the loading screen you can also add this code to a real application instead of the Hello World message you see now. Combine it with something like FlappyBird and a description how to install applications from unknown sources and you can harvest a lot of databases. “
Bosschert reached out to WhatsApp, he will update his post if the company will respond to my inquiry.
This is the last privacy/security issue related to WhatsApp instant messaging platform, in the past Google removed from the official Play store the ”Balloon Pop 2″ Android game that allows WhatsApp conversations snooping and last month February, security experts at Praetorian discovered different security issues in the way WhatApp implements SSL, the principal one is the lack of enforcing the “certificate pinning“.
In time I’m writing, WhatsApp denied any responsibilities, according the company the issue is related to the phone sustaining that anyway users are at risk downloading a malware or a dodgy app which might expose data on the microSD card.
Here’s the official statement from WhatsApp:
“We are aware of the reports regarding a “security flaw”. Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.”
(Security Affairs – WhatsApp, hacking)