Who's reading your messages? Blogger exposes critical flaw in WhatsApp security

A Dutch blogger and computer science student has exposed a critical flaw in the security of WhatsApp smartphone messenger.

The app has grown in recent years to process as many as 27 billion messages a day, has more users than Twitter, and processes more data than Facebook, but Thijs Alkemade, a student at Utrecht University in the Netherlands, discovered that its data transfer is crippling insecure.

Alkemande discovered that WhatsApp uses the same encryption key for both the incoming and the outgoing messages in any conversation. This flaw allows a determined hacker to not only eavesdrop on messages, but also to swap, delete or return messages en route to a correspondent.

Alkemade went on to conclude that "you should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort."

Users of the messaging app "should consider all your previous WhatsApp conversations compromised." There is no solution, Alkemade said, "except to stop using it until the developers can update it."

The app's support team claims that "WhatsApp communication between your phone and our server is fully encrypted." However, this encryption may not be sufficient to keep certain attacks at bay.

Thomas H. Ptacek at security research and development firm Matasano, reported that due to the flaw, "an attacker that knows any of the plaintext of one side of the connection can use it to recover plaintext of the other side".

This vulnerability can also allow the whole message to be attacked statistically, using so-called "brute force". "The attack takes microseconds", Ptacek said. "It's an extremely bad flaw that lots of people know how to exploit."

Alkemade later posted a follow-up demonstrating that the official Android and Nokia's Symbian S60 versions of the app are both vulnerable.

Whatsapp has been plagued by security concerns in recent years. In 2012, it was revealed that a security hole left WhatsApp user accounts open for hijacking. The exploit has since been fixed, but in 2012 another revelation showed how a savvy hacker could anonymously change the status of another WhatsApp user. This issue has since been resolved in the form of an IP check on currently logged in sessions.

Such security problems wouldn't be of so much concern if it weren't for the fact that WhatsApp's popularity is leading to more and more sensitive information being shared over its messenger.

A Dutch website reported that doctors are increasingly sharing patient photos over the messaging app due to its speed and convenience. In September, a doctor in Mumbai, India, even performed a complicated microsurgical operation while a specialist communicated with him on WhatsApp.

While the messaging service is gaining greater and greater popularity, concerns about its lax security could hamper adoption among professionals, and it will only take one big data loss disaster before word gets out to the wider public.

Image: Flickr (Murasam3)