Which SSL Reviews

SSL Certificates

Error in WhatsApp Crypto Exposes Messages

October 17, 2013 | By  

WhatsApp Crypto- Message

Encryption is an important security integration method which is constantly used for browsers, messaging services and e-mails to encrypt files or data when they are being sent over. This stops hackers and third party people from eavesdropping on what is going on. The best way to get this job done for websites is by using SSL Certificate solutions that are issued by reputed certificate authorities from around the globe. One issue is that the same technology cannot be used for all platforms because mobiles are completely different which is why dedicated mobile antivirus is being used.

The further warranting of this is now revealed when a student managed to find a bug in Whatsapp that exposes all messages transacted. It is one of the most widely used popular messaging app but the problem lies in its cryptography area. Encryption is not so strong according to his find because it uses the same keys for both incoming and outgoing messages that makes it vulnerable to hacking.

The computer science student read Whatsapp technologies and revealed that opening these messages is not a difficult task for hackers or people who are expert in this industry. With little effort, they can easily read what you have been talking and sharing with your peer group. The SSL certificate concept doesn’t apply here as Whatsapp uses something called RC4 which is a pseudo random number generator which will later be encrypted using xor cipher.

The process isn’t as complex as it sounds which is why even a small time hacker can manage to reveal the messages contained within. A stream of bytes will be encrypted which may sometime split the messages. So, third parties will not be able to read them all at one go but rather majority of it or be able to predict what goes next once plain text is read.

Another implementation error is confirmed by the same guy who found this bug. He claims that HMAC keys are being used in both directions. The incoming and outgoing messages are supported to be different from one another. This issue won’t pertain with websites because SSL Certificate technology carries data packets where no direct messages are shared all the time. But, primary purpose of using Whatsapp is to send messages alone. They are supposed to use TLS counters with different HMAC sequence for sending while RC4 can be used to get incoming messages which can be considered a more secure way to solve this issue. Until patches come in, it is not so save to use this app for messaging.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL Certificates

Be Sociable, Share!

Leave a Comment


* fields are mandatory