Only days after Facebook announced its acquisition of WhatsApp cross platform mobile messaging App, a group of researchers have found gaping holes in the security apparatus of the WhatsApp. This holes have been identified and summarised Praetorian. Praetorian put its new mobile application security testing platform Project Neptune itself to the test on WhatsApp and the Project Neptune came out with some startling results.
Only two days before WhatsApp had been in news due to it reported $19 billion takeover by the social networking giant Facebook. On the date of purchase, WhatsApp had 430 million active users and was adding 1 million users a day. Imagine the names and phone numbers of 430 million users being leaked online. That is just a fantastic theory but would have been a reality had not the Project Neptune delivered its security report.
Just coming back on the Snapchat’s mega leaks on internet, the WhatsApp security personnel took due notice of the Project Neptune report and are working diligently to resolve the same, unlike Snapchat which refused even to acknowledge the breach and faced a embarrassing situation of having 4.6 million user ids leaked online.
Praetorian explains how it managed to hook into WhatsApps security flaws. Project Neptune is Praetorian’s new mobile application security testing platform that allows companies to keep pace with rapid mobile development cycles by incorporating continuous, on-demand security testing. And Praetorian took on WhatsApp as a beta test program for its newly launched Project Neptune.
Within minutes on starting the Project Neptune’s mobile application security testing on WhatsApp, it was able to pick as many as 4 SSL related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is kind of backdoor that NSA and its BigEyes love to gain user data realtime. It basically allows them or a cyber criminal to man-in-the-middle the connection and then downgrade the encryption so they can break it and snoop on the traffic or download user data. These security issues put WhatsApp user information and communications at risk.
The Praetorian then got in touch with WhatsApp engineers and they are supposed to be attending all the security issues pointed out by the Project Neptune. Below are the issued found out by Project Neptune and WhatsApps action taken on it.
SSL Pinning Not Enforced WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information.
Update 02/21/2014: WhatsApp is actively working on adding SSL Pinning now
SSL Export Ciphers Support Enabled WhatsApp’s back-end servers allow the use of weak 40-bit and 56-bit encryption schemes. Without malicious intervention this may not be an issue, because the mobile application and server will negotiate the encryption and settle on the strongest encryption they both support. However, an attacker could intercept the communication and forcefully downgrade it to 40-bit or 56-bit DES encryption, which would make brute-force attacks against the encryption feasible.Update 02/21/2014: We no longer find evidence of export cipher support.
SSL Null Ciphers Support Enabled It gets worse. WhatsApp even supports Null Ciphers, which is data that is supposed to be encrypted, but in reality is not. Null Ciphers do not perform any encryption. That is, it simply copies the input stream to the output stream without any changes. With Null Ciphers supported, if the client mobile application attempts to communicate to the server using SSL and both parties do not support any common cipher suites—as a result of a malicious intercept—then it would fall back to sending the data in clear, plain text. Supporting Null Ciphers is not something we come across often—it’s quite rare.Update 02/21/2014: We no longer find evidence of null cipher support.
SSLv2 Protocol Support Enabled WhatsApp was also found to support SSL version 2 (v2), which has been found to contain several weaknesses. SSLv2 is vulnerable to several specific attacks which require sniffing and man-in-the-middling. In addition, SSLv2 utilizes MAC post-encryption and 40-bit MACs, which are both considered design flaw weaknesses. Depending on the time and resources of an attacker, any communication protected by SSLv2 may be vulnerable to man-in-the-middle attacks that could allow data tampering or disclosure.Update 02/21/2014: We no longer find evidence of SSLv2 support.
Praetorian said that the security test cases undertaken in Project Neptune were nonintrusive and limited in scope and were able to give amazing results. It hopes to get Facebook and WhatsApp authorisation to run a full scale evaluation and a more thorough security evaluation of the mobile applications and back-end infrastructure.