Security Weaknesses in WhatsApp, "The kind the NSA would love"

This past week, Facebook has acquired the company behind mobile messaging app WhatsApp for $19 billion. According to a report from ArsTechnica, the acquisition may not only be an attractive acquisition for the social networking giant, but also the government and hackers.

Researchers say that this is thanks to several weaknesses in the encryption used in WhatsApp to prevent anyone from eavesdropping on a conversation.


A report from security consultancy Praetorian points out the major flaw is behind WhatsApp's implementation of secure socket layers (SSL) encryption because it supports version two of the protocol.

Version 2 of SSL is susceptible to several well-known attacks that allows a hacker to monitor a connection between the two endpoints, in turn allowing them to view and even manipulate traffic as it passes.

The company behind WhatsApp has reportedly failed to implement a technique known as certificate planning, which is designed to block any attacks that may be using a forged certificate.

Praetorian also points out two more deficiencies with the way WhatsApp implements SSL: The use of SSL null ciphers and the enabling of SSL export ciphers, which both make it easier for attackers to 'tap into' the traffic as it moves between one end point to the other.

Praetorian's Paul Jauregui wrote:

"This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk."

Back in October 2013, a computer science student at Utrecht University in the Netherlands documented a critical encryption flaw that allowed adversaries to decrypt any message (voice or text) that was sent using WhatsApp.

Details About Apple’s iOS SSL Patch in Update 7.0.6, OS X is Still Vulnerable

Details About Apple’s iOS SSL Patch in Update 7.0.6, OS X is Still Vulnerable

Fitbit Force Bands Recalled Due to Skin Irritation Issues