Posts tagged WhatsApp
Instagram and Grindr stored images on their servers that were accessible without authentication, study finds
Instagram, Grindr, OkCupid and many other Android applications fail to take basic precautions to protect their users’ data, putting their privacy at risk, according to new study.
Data integration is often underestimated and poorly implemented, taking time and resources. Yet it
The findings comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which earlier this year found vulnerabilities in the messaging applications WhatsApp and Viber.
This time, they expanded their analysis to a broader range of Android applications, looking for weaknesses that could put data at risk of interception. The group will release one video a day this week on their YouTube channel highlighting their findings, which they say could affect upwards of 1 billion users.
“What we really find is that app developers are pretty sloppy,” said Ibrahim Baggili, UNHcFREG’s director and editor-in-chief of the Journal of Digital Forensics, Security and Law, in a phone interview.
The researchers used traffic analysis tools such as Wireshark and NetworkMiner to see what data was exchanged when certain actions were performed. That revealed how and where applications were storing and transmitting data.
Facebook’s Instagram app, for example, still had images sitting on its servers that were unencrypted and accessible without authentication. They found the same problem in applications such as OoVoo, MessageMe, Tango, Grindr, HeyWire and TextPlus when photos were sent from one user to another.
Those services were storing the content with plain “http” links, which were then forwarded to the recipients. But the problem is that if “anybody gets access to this link, it means they can get access to the image that was sent. There’s no authentication,” Baggili said.
The services should either ensure the images are quickly deleted from their servers or that only authenticated users can get access, he said.
Many applications also didn’t encrypt chat logs on the device, including OoVoo, Kik, Nimbuzz and MeetMe. That poses a risk if someone loses their device, Baggili said.
“Anyone who gets access to your phone can dump the backup and see all the chat messages that were sent back and forth,” he said. Other applications didn’t encrypt the chat logs on the server, he added.
Another significant finding is how many of the applications either don’t use SSL/TLS (Secure Sockets Layer/Transport Security Layer) or insecurely use it, which involves using digital certificates to encrypt data traffic, Baggili said.
Hackers can intercept unencrypted traffic over Wi-Fi if the victim is in a public place, a so-called man-in-the-middle attack. SSL/TLS is considered a basic security precaution, even though in some circumstances it can be broken.
OkCupid’s application, used by about 3 million people, does not encrypt chats over SSL, Baggili said. Using a traffic sniffer, the researchers could see text that was sent as well as who it was sent to, according to one of the team’s demonstration videos.
Baggili said his team has contacted developers of the applications they’ve studied, but in many cases they haven’t been able to easily reach them. The team wrote to support-related email addresses but often didn’t receive responses, he said.
The mobile messaging app has 450 million monthly users
Facebook, in a major push to expand its business on smaller screens, has agreed to buy the mobile messaging app WhatsApp for $16 billion, the companies said Wednesday.
Facebook plans to pay $12 billion in shares and $4 billion in cash to acquire the company. It will also grant $3 billion in stock options to WhatsApp’s founders and employees. The deal is expected to close this year pending regulatory approval, Facebook said.
The size of the deal shows the value that Silicon Valley firms now place in mobile users, and what a high-stakes industry mobile computing has become. Facebook paid $1 billion when it bought Instagram almost two years ago, and even then some said it had paid too much.
WhatsApp has 450 million monthly users, and 70 percent of them access the service daily, Facebook said, making WhatsApp one of the leading mobile messaging services.
WhatsApp will operate “independently” inside Facebook and retain its own brand, Facebook said, a similar model it has used for its Instagram acquisition.
“WhatsApp is on a path to connect 1 billion people. The services that reach that milestone are all incredibly valuable,” Facebook CEO Mark Zuckerberg said in a statement.
It’s a dramatic move by Facebook to solidify its position in mobile. After a slow start the social network now generates more than half of its ad revenue on mobile, but it wants to strengthen that position further, in part by offering more standalone apps.
Facebook already has its own Messenger app, which it said will continue to operate alongside WhatsApp. It also has Instagram and it recently launched Paper, a new app focused on visuals.
WhatsApp allows people to send messages and photos over the Internet, meaning they don’t have to pay SMS charges. Like Skype and other Internet-based communications tools, it’s seen as a significant threat to traditional cellular carriers like Verizon and AT&T.
If the merger plan falls apart because the companies can’t get the required regulatory approvals, Facebook has to pay WhatsApp $1 billion in cash and also issue it $1 billion in stock. Both companies have the right to terminate the deal if it’s not closed by Aug. 16, suggesting they expect to complete the acquisition before then.
When it closes, Jan Koum, WhatsApp’s co-founder and CEO, will get a seat on Facebook’s board of directors.