Researchers at the University of New Haven’s Cyber Forensics Research and Education Group have found that WhatsApp sends user location in an unencrypted form. WhatsApp says that it has already implemented a fix in the latest beta version of the instant messaging application.
When WhatsApp users send other users their location, the data is downloaded from Google Maps as an image. The problem is that this image is unencrypted, which means that an attacker could intercept the data via a man-in-the-middle (MITM) attack.
To demonstrate that the location image can be intercepted, experts have set up an experiment in which they’ve mimicked a rogue access point (AP), which is the easiest way for an attacker to launch MITM attacks.
They’ve published a proof-of-concept video to demonstrate their findings.
This is a low-impact security issue because if the attacker is on the same network as the victim, the location of the victim is obvious. However, in a period in which privacy has become important, it’s crucial for service providers to encrypt communications as much as possible.
Lately, WhatsApp has been criticized for the way it has handled some security issues, so it’s a good thing that it is addressing this bug.
Check out the video published by the University of New Haven’s Cyber Forensics Research and Education Group: