WhatsApp Flaw Opens Database Doors to Hackers
It's not clear what value hackers might find in perusing the chats of WhatsApp users, but that's small comfort to those who'd rather not expose their private conversations. An Android developer presented a proof of concept showing how the deed could be done, but there's no reason to believe that any thieves have penetrated the WhatsApp vault. It could mean a snag in Facebook's acquisition deal.
03/12/14 2:28 PM PT
An Android developer's disclosure that it's possible to hack into the WhatsApp database and read the text of the chats from another application could be a big headache for Facebook, which has agreed to purchase the app for US$19 billion.
"This is not a bug, but a design decision of WhatsApp," Bas Bosschert, chief technology officer of Double Think, told LinuxInsider.
"They selected for usability in their design, not security," he continued. "I didn't find anything new -- I only showed how people could abuse this flaw with a working proof of concept."
The flaw works if the database backup capability is enabled, which it apparently is by default, commenters on Bosschert's blog post said.
Although WhatsApp had encrypted its database in February, that encryption is available only in new installations, and updates still use the old, unencrypted version, Bosschert remarked.
Facebook and WhatsApp did not respond to our request to comment for this story.
How the Hack Works
The process seems straightforward -- Bosschert created a PHP script to store the database on a Web server, created an Eclipse project with some additional lines in the AndroidManifest.xml file, and grabbed the mststore.db and wa.db WhatsApp files, which are unencrypted.
His application displayed a simple loading screen during that process so users wouldn't notice their WhatsApp database was being pilfered.
The hack is possible because the WhatsApp database used to be written in SQLite3. Openssl apparently also could be used to hack the database.
Although it appears WhatsApp encrypted the msgstore.db database using the .crypt utility, it's still possible to read chats from the encrypted database by creating a simple Python script, which converts it to a plain SQLite 3 database.
Keeping Chats Safe
Bosschert obtained the database's AES key by using the WhatsApp Xtract tool published in the XDA Developers' Forum. That key no longer works with the encrypted database, according to TiFlo Software, which claims its statistical app cracks the encryption.
"Given the nature of the WhatsApp use model, with backup enabled by default, you could argue that the hack is a key to a treasure house of information ... [but] I personally doubt it," Charles King, principal analyst at Pund-IT, told LinuxInsider.
"Given the size of WhatsApp's user base and how popular the app is among young people, finding anything of value would likely be comparable to searching for a needle of enlightenment in digital haystacks of teenaged trivia," King continued.
The Impact on Facebook
The impact of the hack on Facebook's purchase of WhatsApp likely will be minimal at worst.
"It will take something like the Target hack, where millions of people lost their credit card information, to have an impact on the deal," Jim McGregor, founder and principal analyst at Tirias Research, told LinuxInsider.
"That will eventually happen as electronic wallets and other applications emerge, but for now it's going to be another of those 'there's another issue, go fix it' things for Facebook, which is a company that's known for sharing user information anyway."
Still, users "will be screwed if WhatsApp doesn't think of a backwards-compatible solution so existing databases can be converted to a secure implementation," Bosschert said.
Given that competition in the chat apps market is keen and some WhatsApp users have fled to other apps like Viber in the wake of the Facebook purchase, perhaps the situation should not be taken too lightly.