The Android version of WhatsApp, the cross-platform instant messaging app purchased by Facebook for $16 billion, has a loophole that leaves chat histories wide open to other apps installed on the same smartphone, a security consultant says.
Consultant, system administrator, and entrepreneur Bas Bosschert documented the vulnerability in a blog post published Tuesday. It includes proof-of-concept code a rogue app requires to stealthily upload the chat history to an attacker-controlled server and, when working with newer versions of WhatsApp, to decrypt the file. The exploit is premised on the victim installing a malicious app that contains a game or some other useful feature and in the background accessing the database WhatsApp stores on the secure digital (SD) card of an Android device.
"The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card," Bosschert wrote. "And since [the] majority of the people allows [sic] everything on their Android device, this is not much of a problem."