An android developer's revelation that it's potential to hack into the WhatsApp info and browse the text of the chats from another application may be an enormous headache for Facebook, that has in agreement to get the app for US$19 billion.
"This is a style call of WhatsApp," Bas Bosschert, chief technology officer of Double assume, told LinuxInsider.
"They elect for usability in their style, not security," he continued . "I did not realize something new -- I solely showed however folks may abuse this flaw with a operating proof of conception."
The flaw works if the information backup capability is enabled, that it apparently is by default, commenters on Bosschert's journal post same.
Although WhatsApp had encrypted its information in Feb, that coding is out there only in new installations, and updates still use the recent, unencrypted version, Bosschert remarked.
Facebook and WhatsApp failed to answer our request to comment for this story. however the Hack Works
The process looks easy -- Bosschert created a PHP script to store the information on an online server, created AN Eclipse project with some further lines within the Android Manifest.xml file, and grabbed the mststore.db and wa.db WhatsApp files, that are unencrypted.
His application displayed an easy loading screen throughout that method thus users would not notice their WhatsApp info was being pilfered.
The hack is feasible as a result of the WhatsApp information wont to be written in SQLite3. Openssl apparently additionally might be wont to hack the information.
Although it seems WhatsApp encrypted the msgstore.db information victimization the .crypt utility, it's still potential to browse chats from the encrypted information by making a straightforward Python script, that converts it to a clear SQLite three information.
Keeping Chats Safe
Bosschert obtained the database's AES key by victimization the WhatsApp Xtract tool printed within the XDA Developers' Forum. That key not works with the encrypted information, per TiFlo code, that claims its applied math app cracks the coding.
"Given the character of the WhatsApp use model, with backup enabled by default, you'll argue that the hack could be a key to a depot of data ...
" The scale given to the WhatsApp's user base and the way common the app is among teenagers, finding something of import would possible be appreciate finding out a needle of enlightenment in digital haystacks of teenage trifle," King continued .
"This is a style call of WhatsApp," Bas Bosschert, chief technology officer of Double assume, told LinuxInsider.
"They elect for usability in their style, not security," he continued . "I did not realize something new -- I solely showed however folks may abuse this flaw with a operating proof of conception."
The flaw works if the information backup capability is enabled, that it apparently is by default, commenters on Bosschert's journal post same.
Although WhatsApp had encrypted its information in Feb, that coding is out there only in new installations, and updates still use the recent, unencrypted version, Bosschert remarked.
Facebook and WhatsApp failed to answer our request to comment for this story. however the Hack Works
The process looks easy -- Bosschert created a PHP script to store the information on an online server, created AN Eclipse project with some further lines within the Android Manifest.xml file, and grabbed the mststore.db and wa.db WhatsApp files, that are unencrypted.
His application displayed an easy loading screen throughout that method thus users would not notice their WhatsApp info was being pilfered.
The hack is feasible as a result of the WhatsApp information wont to be written in SQLite3. Openssl apparently additionally might be wont to hack the information.
Although it seems WhatsApp encrypted the msgstore.db information victimization the .crypt utility, it's still potential to browse chats from the encrypted information by making a straightforward Python script, that converts it to a clear SQLite three information.
Keeping Chats Safe
Bosschert obtained the database's AES key by victimization the WhatsApp Xtract tool printed within the XDA Developers' Forum. That key not works with the encrypted information, per TiFlo code, that claims its applied math app cracks the coding.
"Given the character of the WhatsApp use model, with backup enabled by default, you'll argue that the hack could be a key to a depot of data ...
" The scale given to the WhatsApp's user base and the way common the app is among teenagers, finding something of import would possible be appreciate finding out a needle of enlightenment in digital haystacks of teenage trifle," King continued .
0 comments