A security vulnerability discovered and published by a chief technology officer and consultant Tuesday allows hackers to steal private conversations from Android users of WhatsApp, Facebook’s newest $19 billion messenger acquisition.
Bas Bosschert of website designer DoubleThink found the vulnerability in WhatsApp’s encryption, which allows other apps to access and read all of a user’s chat communications, TechCrunch reports. The security hole was still present after a major Android software update Tuesday.
The Android version of WhatsApp saves conversations on a smartphone’s SD memory card, which can also be accessed by numerous other apps with permission – most apps ask for full phone access upon being downloaded. That permission leaves open the potential for a malicious app to access the conversations, since they share the same storage space, and therefore, access.
According to the report and WhatsApp, that means the vulnerability is more of an unintended symptom of Android’s infrastructure for data storage.
An app built by Bosschert was able to successfully upload the chats stored in a phone while distracting the user with a loading screen, and he was able to decrypt the database with a custom script.
After spending the sizable investment to purchase WhatsApp, Facebook will likely tackle any gaping security issues without much delay – provided they can find a workaround for the inherent Android design issue highlighted by the problem.
Apple’s iPhone by contrast is designed to isolate each app’s data access to itself, and in general gives users far more control over app permissions than Android.