Feeds

WhatsApp chats not as secret as you think

Malicious apps can steal chat history

Top 5 reasons to deploy VMware with Tegile

Mark Zuckerberg's $19bn darling, WhatsApp, isn't as secure as we thought: a Dutch researcher has found that chats can be accessed and read by other apps.

Bas Bosschert has described a process by which the chat database can be read even if it's encrypted. His proof-of-concept, here, runs through the process.

Here's the short version: Bosschert first created a php Web server to run on the target device, then with a bit more code work, he uploaded the WhatsApp message files to his own app – msgstore.db and wa.db for older versions, msgstore.db.crypt for newer versions.

If an attacker was to “combine it with something like FlappyBird and a description how to install applications from unknown sources,” he writes, “you can harvest a lot of databases”.

Code snippet WhatsApp vuln

Bas Bosschert has worked out how to read WhatsApp stored chats

For unencrypted stores, the work's already done. For newer versions of WhatsApp, he writes, decryption is already available from the WhatsApp Xtract backup tool.

For Bosschert's attack to work, all that's required is that the user grants sufficient permissions to the malicious app. As he writes: “ since [the] majority of the people allows everything on their Android device, this is not much of a problem.” ®

Remote control for virtualized desktops

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS
UNjailbroken iOS 7, 8 open to evil, says secbiz FireEye
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.