Following the news that security experts have discovered a vulnerability in WhatsApp that could have allowed hackers to take over “hundreds of millions” of users’ accounts and access everything in them, IT security experts from Positive Technologies, Lastline, ESET, AlienVault and Imperva commented below on how users can avoid vulnerabilities like this affecting them and WhatsApp’s approach to fixing this issue.
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“One billion people now use Whatsapp and 100m Telegram. Given the fact such services are deeply ingrained in a massive portion of the world’s daily lives, they are going to be an emerging target for attacks of all kinds. When you raise your head above the parapet, people look to knock it off for nefarious gain. This is the unfortunate truth of today’s digitally reliant world.”
“The security research community plays a vital part in addressing this problem, helping companies in positions of influence find vulnerabilities and weaknesses in their approach and assisting with fixes. The quick response of both Whatsapp and Telegram in this case is a positive sign of this process at work.”
Professor Giovanni Vigna, Co-Founder, Malware Detection Firm Lastline:
“This flaw shows how difficult it is to balance security and usability. WhatsApp did the right thing by encrypting the content, but by doing it too early in the message analysis pipeline, they could not determine that a message might be crafted to contain malicious code. This code could then access malicious information, which could be used to log into a user’s account for the web application.
“This flaw could be easily mitigated by using 2-factor authentication (recently introduced by WhatsApp), which has been proven to be one of the best security mechanisms to prevent wide-spread compromise.”
Mark James, Security Specialist at ESET:
“As the bad guys get smarter our applications need to keep up. More and more of our communications are open to abuse from cybercriminals and the opportunistic eaves dropper. One of the ways to get around this process is using something called end-to-end message encryption. WhatsApp states that “When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.” I.e. I encrypt it (automatically) from my application before I send it and you decrypt it at your end when you receive it. That means if anyone compromises the data in transit they are unable to use or identify anything within it, and there lies the problem – it limits your options for checking for anything malicious. Luckily this only affected the web platform so once resolved by WhatsApp themselves it only requires a browser restart.”
Javvad Malik, Security Advocate at AlienVault:
“The vulnerability fortunately is limited in that it only affects those users which use the web version of the application. Furthermore, to be successful, it relied on coercing the victim to download a malicious file.
While WhatsApp has reportedly fixed the vulnerability, it serves a reminder that phishing style attacks do not occur merely over email, but will come through any channel that is available, including chat apps. Users should always remain vigilant and refrain from clicking on to open or download any suspicious files.”
Itsik Mantin, Director of Security Research at Imperva:
“This is another example of the paradoxical tradeoff there is sometimes between security and privacy. If I can see data sent to you, then true that your privacy is better guaranteed, but it also means that I can’t examine this data, and thus regardless of the threat detection technology I have, it will be almost impossible to protect you from threats coming at your door.”