WhatsApp: Cleartext Sensitive Information

      Comments Off on WhatsApp: Cleartext Sensitive Information

Do you use WhatsApp? Of course,  you do.

Do you think everything such as your contacts or chat messages are encrypted?

No. It is not encrypted.

 

whatsapp-575

Recently the famous chat application (WhatsApp) has been in news for Breaching User Privacy. Now I came across another issue in WhatsApp application. “Cleartext Sensitive Information in Local Database”, yes you read it correct. WhatsApp stores most of the user sensitive information in cleartext. Not only your chat messages, but contacts, status, timestamp of your conversation and lot more are stored in cleartext I Local DB.

As an attacker, I just need to steal your device and then simply access the local DB of WhatsApp on your device.

Steps:

  1. Take any android/iOS device which has/had WhatsApp installed on it.
  2. Root/Jailbreak the device.
  3. Explore the Application package for Android it is /data/data/com.whatapp.
  4. Look for .DB files. You will find multiple files with .DB extension (check them out, lot of info).
  5. Open msgstore.db with any SQL Browser and you will see most of the User Sensitive information in cleartext.
  6. Below are the screens as Proof-of-Concept (POC).
  7. WhatsApp is supposed to keep user info in encrypted format, isn’t it??

Screenshot_2015-09-14-20-38-24 Screenshot_2015-09-14-20-37-52 Screenshot_2015-09-14-20-35-39

Think if this information is getting sync over the internet, will it be secure?

So, all claims made by WhatsApp to encrypt your data are proving out to be FALSE.