Shortly after Facebook announced buying WhatsApp, many users raised privacy concerns. Soon enough, security experts revealed identifying a number of vulnerabilities, which they catalogued as being exactly the kind “the NSA would love.”The security issues have been identified by Praetorian. The company’s new mobile application security testing platform Project Neptune has been put to the test.
A total of four SSL-related security holes have been identified. First, researchers found that SSL pinning is not enforced. This allows an attacker to launch a man-in-the-middle (MitM) attack between the mobile application and the backend web services and capture user credentials and other sensitive information.
The second issue refers to SSL export ciphers support being enabled. This allows an attacker to downgrade encryption to 40-bit or 56-bit DES, making communications vulnerable to brute-force attacks.
In addition to supporting export ciphers, WhatsApp also supported null ciphers.
“With Null Ciphers supported, if the client mobile application attempts to communicate to the server using SSL and both parties do not support any common cipher suites—as a result of a malicious intercept—then it would fall back to sending the data in clear, plain text. Supporting Null Ciphers is not something we come across often—it’s quite rare,” experts explained.
Finally, WhatsApp had SSLv2 protocol support enabled. This version has a number of weaknesses and experts recommend against its use because it’s susceptible to MitM attacks.
Shortly after being notified of these issues, WhatsApp addressed three of them. Praetorian has confirmed that these vulnerabilities have been fixed. The only flaw that remains unfixed is the SSL pinning enforcement, but the company says it’s working on adding it to clients.