In association with heise online

08 September 2011, 16:21

Update fixes critical security holes in WhatsApp

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

WhatsApp Messenger Logo

An updated version, 2.6.5, of the WhatsApp Messenger application for iPhones has been released to Apple's App Store. In the new version, the developer has closed a number of critical security holes that allowed forged messages to be sent and messages from any user to be read.

WhatsApp Messenger is a cross-platform messaging service (available for iPhone, BlackBerry, Android and Nokia Symbian60). Because the data is transmitted over the internet, the use of WhatsApp does not necessarily entail any additional costs depending on a user's specific data contract. A lot of users prefer the app instead of sending text messages, which can often cost them a lot more money. Because of this, WhatsApp Messenger has become a top 10 best-selling app in 16 of the 22 countries that it is available in.

To make the service as easy as possible to use, messages are sent based on the subscriber's mobile number. After installation, the app compares the telephone numbers in its own address book with a global address book on WhatsApp servers. If the user has any contacts who already use WhatsApp Messenger, they are displayed as favourites and can be connected to directly via the app.

However, this approach raises some data protection questions and the recently discovered vulnerabilities only make matters worse. Communication between the app and the web service's back-end during the registration process can be manipulated so that mobile telephone numbers and their user accounts are taken over, reports Andreas Kurtz, who discovered the vulnerabilities. He found that messages could be read from any WhatsApp users and that messages can also be sent under a forged identity; Kurtz provides details in his blog.

The company behind the app says that the other platforms supported by WhatsApp are not vulnerable because a new registration mechanism is already being used. The firm says that outdated code was still used for Messenger on the iPhone because the app was developed for that platform. But users of other platforms were also vulnerable because of the security flaw in the iPhone version.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit