WhatsApp Weakness ‘Could Expose PayPal, Google Accounts’

WhatsApp’s mixed use of SSL encryption described as “extremely bad form”

A weakness in the way popular mobile messaging service WhatsApp does encryption could let hackers easily get hold of users’ payment accounts, a young security company has warned.

When making a payment to gain a WhatsApp licence, the connection between the WhatsApp server and payment services, including Google Wallet and PayPal, is protected by Secure Sockets Layer (SSL) encryption.

But the connection between the app’s browser, which launches when payments are made, and the WhatsApp server is not protected at all.

WhatsApp security threat

Whistleblower leak keyboard security breach © CarpathianPrince ShutterstockThis lack of protection could allow an attacker to figure out when a user requests to make a payment, intercept the communication with the legitimate payment services, and serve up their own fraudulent phishing site asking for users’ information.

“This means an attacker could intercept the first request via a suitable man-in-the-middle attack and successfully redirect the user to any webpage when the user is trying to buy Whatsapp credit,” said the two-year-old German security company Curesec.

“To gain user accounts the attacker could set up a fake Google Wallet or Paypal systems page to harvest user accounts.”

Curesec, which discovered the lack of SSL when toying with WhatsApp for Android, told TechWeekEurope it had contacted WhatsApp three times but had not received any response. WhatsApp had not responded to requests for comment at the time of publication.

‘Extremely bad form’

Whilst the attack would be easy to pull off if the snooper was sitting on the same Wi-Fi network as the victim, this kind of opportunity doesn’t come too often. Payments made over the WhatsApp platform are only required to buy a yearly license.

But security expert Troy Hunt told TechWeek this was still “extremely bad form” from WhatsApp, which claims to be bigger than Twitter.

“It’s serious as it’s a complete and utter failure of HTTPS. If they take a position where they acknowledge that this process poses a risk that requires transport layer protection – and clearly they have as there is some use of HTTPS – then requesting resources over an unprotected connection to begin the process entirely undermines the security that comes later,” Hunt said.

“Risks like these in mobile apps are becoming the new frontier for web security as they’re extremely prevalent, often hastily constructed and their communication with web servers isn’t visible in the same way it is when you load content in the browser.”

“We’ll be seeing a lot more of this sort of thing.”

Last week, Tumblr was spotted not doing SSL properly in its iOS application, admitting passwords could have been pilfered. It confirmed this when delivering a fix.

Mobile messaging apps have proven an attractive target for hackers too. This week saw a Viber website hacked and user credentials compromised, whilst Tango was also hit by the Syrian Electronic Army.

What do you know about Internet security? Find out with our quiz!