UNH Researchers Discover Privacy Flaws in Popular Messaging Apps
Millions of people worldwide whose privacy is at risk due to flaws in the Viber and WhatsApp apps can thank the University of New Haven's Cyber Forensics Research & Education Group (UNHcFREG) at the Tagliatela College of Engineering for discovering the flaws and generating publicity that has led to fixes.
May 01, 2014
Last month, the UNH Cyber Forensics Research & Education Group showed that data sent using Viber and WhatsApp can be intercepted, making it possible for anyone to snoop on private communications.
Since then, the flaws have been widely reported internationally in some 20 languages in a variety of publications and on numerous websites. As recently as April 30 it was reported by CNET that Viber "has added encryption measures to its messaging app for Android and iOS so that network eavesdroppers no longer can see or tamper with unprotected images, video, and messages about a user's location."
"Viber and WhatsApp together have over 600 million users that may be affected by our discovery," says Abe Baggili, head of the UNHcFREG group and an assistant professor of computer science at the university. This work is about protecting people's privacy, which is big news given everything that is going on with Edward Snowden and the National Security Agency."
"Viber and WhatsApp together have over 600 million users that may be affected by our discovery "
Viber allows users to make free calls, send free texts and share pictures with anyone, anywhere. It also allows a Viber subscriber to send video and voice messages to other Viber users for free.
WhatsApp is similar in that it allows users to exchange messages using a variety of mobile phone platforms. WhatsApp users can create groups, send each other unlimited images, video and audio media messages without having to pay SMS, or text messaging, fees.
Discovering the Flaws
The UNH group first discovered the privacy flaws in WhatsApp through a network forensics research project. The discovery was made by Baggili along with UNH students Jason Moore, Mohammed Al Saif and Atefeh Masihzadeh – which is presented in the video seen below:
They reported that a vulnerability in WhatsApp makes it possible for an attacker to intercept shared locations of the app’s users by "calling out" to Google Maps. This means that an attacker can pinpoint a user and share the user’s location with other WhatsApp users. The UNH researchers demonstrated the flaw in a video that was posted on their website.
They followed this up with the announcement that they had found a similar, but more serious "open transmissions" flaw in Viber, which permanently stored all messages sent by its users on its servers which is also illustrated in the video below: