The chinks in WhatsApp’s armour TechTonic : Security issues, malware and spam have begun to spring up on the app

WhatsApp ; Shutterstock

Surit Doss   |  TT   |   Published 04.01.21 : WhatsApp is one of the most popular messaging apps. The fact that it boasts of end-to-end encryption — not even the owners or FBI can breach it — may be the reason that hackers consider it to be a challenge and are devising ways to hack it. Security issues, malware and spam have begun to spring up on WhatsApp.

WhatsApp Web

The first point of concern is WhatsApp Web. WhatsApp allows you to open a website or download a desktop app, scan a QR Code and use WhatsApp on your computer.

The WhatsApp you download from the App Store or Play Store is secure but once on the desktop, it reveals several vulnerabilities. Security analyst Gal Weizman found multiple critical security flaws that allow hackers to change messages or media that you are forwarding.

He also exposed a redirect flaw in messages with a banner. For example, you get a message that has a link with an outside source, say Facebook. Typically, when you forward a message with https://facebook.com, the people receiving it will get a typical Facebook banner with the Facebook’s “f” symbol and a message that asks you to sign up with Facebook with the link you are forwarding at the bottom.

On WhatsApp, the banner is generated on the side of the sender and one can tamper with it, changing the forwarded link, before sending it to the receiver. Not only that, as Gal Weizman showed, the link can be rewritten with an @ symbol which redirects the person clicking on the link to a malicious site.

WhatsApp confirmed that it had a vulnerability that allowed hackers to instal malware on phones and other devices. A WhatsApp voice call was made to the target’s phone. An advanced surveillance tool got installed whether the call was answered or not. The malware got installed and proceeded to wipe away any notification and call log related to it. It then trawled through the victim’s messages, photos and videos. It activated and recorded data through the microphone and camera. This was an advanced and dangerous piece of malware.

This vulnerability affected all devices that had WhatsApp or WhatsApp Business installed, that is, Android, iOS, Windows 10 mobile and Tizen devices. What was most worrisome was that the malware did not need the victim to answer the call to instal. The malware was silent, installed itself and then deleted the evidence.

Immediately after the attack, WhatsApp rolled out an urgent update, which patched the vulnerability. The advice was to keep your devices updated constantly.

Cloud backup

Only you and the recipient can read your message, as end-to-end encryption implies. However, WhatsApp allows you to back up your messages on Android or iOS.  

You may back up in two ways: on the device itself and/or on iCloud or Google Drive. Herein lies the Achilles heel. The messages that you have backed up are not encrypted. Should your device or cloud drives get hacked, there goes your privacy.

Moreover, since both the cloud storage providers are US-based, all the FBI have to do is get a warrant to access your data.

Data sharing with FB

When Facebook acquired WhatsApp, it had assured users it would keep the data of the two companies separate. However, very soon, WhatsApp updated its privacy policy to allow sharing of data.

It was also stated that none of your information would be publicly visible on Facebook but hidden in Facebook’s inaccessible profile of you. WhatsApp initially said you could opt out of this but later quietly removed the option.

The bottom line is, your security is in your hands. Update diligently and regularly. And don’t keep important data stored on WhatsApp.

Send in your problems to askdoss2020@gmail.com with TechTonic as the subject line