• whatsapp = bad for your smartphone health

    From Ogg@VERT/CAPCITY2 to All on Wed Oct 5 19:50:00 2022
    FYI, gleened from Durov's Telegram channel, Oct 5..

    [start]

    "Hackers could have full access (!) to everything on the phones of WhatsApp users.

    "This was possible through a security issue disclosed by WhatsApp itself (https://www.whatsapp.com/security/advisories/2022/) last week. All a hacker had to do to control your phone was send you a malicious video or start a video call with you on WhatsApp.

    "You are probably thinking "Yeah, but if I updated WhatsApp to the latest version, I am safe, right"?

    "Not really.

    "A WhatsApp security issue exactly like this one was discovered in 2018 (https://www.cnbc.com/2018/10/10/whatsapp-bug-let-hackers-hijack-accounts-with-a-video-call-reports.html), then another in 2019 (https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab) and yet another one in 2020 (https://timesofindia.indiatimes.com/gadgets-news/whatsapp-reveals-six-security-issues-that-could-have-got-its-users-hacked/articleshow/77925426.cms) (tap each year's link to see the corresponding vulnerability). And yes, in 2017 (https://telegra.ph/whatsapp-backdoor-01-16) before that. Prior to 2016, WhatsApp didn't have encryption at all.

    "Every year, we learn about some issue in WhatsApp that puts everything on their users' devices at risk. Which means it's almost certain that a new security flaw already exists there. Such issues are hardly incidental - they are planted backdoors. If one backdoor is discovered and has to be removed, another one is added (read the post "Why WhatsApp will never be secure (https://telegra.ph/Why-WhatsApp-Will-Never-Be-Secure-05-15)" to understand why).

    "It doesn't matter if you are the richest person on earth - if you have WhatsApp installed on your phone, all your data from every app on your device is accessible, as Jeff Bezos found out in 2020 (https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince). That's why I deleted WhatsApp from my devices years ago. Having it installed creates a door to get into your phone.

    "I'm not pushing people to switch to Telegram here. With 700M+ active users and 2M+ daily signups, Telegram doesn't need additional promotion. You can use any messaging app you like, but do stay away from WhatsApp - it has now been a surveillance tool for 13 years.

    [stop]

    Personally, I find Telegram a great little comm app to use between friends.


    --- OpenXP 5.0.51
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From Arelor@VERT/PALANT to Ogg on Thu Oct 6 05:39:22 2022
    Re: whatsapp = bad for your smartphone health
    By: Ogg to All on Wed Oct 05 2022 07:50 pm

    "Hackers could have full access (!) to everything on the phones of WhatsApp users.

    I have not followed the links yet, but by the sound of it, it would be an issue with the underlying
    operating system Whatsapp would be running on too. IN theory a compromised appplication could only access
    resources the operating system is willing to conceede to it. That is why you are supposed to give
    permissions to applications to access this or that feature of the phone.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ogg@VERT/CAPCITY2 to Arelor on Thu Oct 6 18:59:00 2022
    Hello Arelor!

    ** On Thursday 06.10.22 - 05:39, Arelor wrote to Ogg:

    "Hackers could have full access (!) to everything on the phones of
    WhatsApp users.

    [...] IN theory a compromised appplication could only
    access resources the operating system is willing to
    conceede to it. That is why you are supposed to give
    permissions to applications to access this or that feature
    of the phone.

    My understanding of the vulnerability is that Whatsapp is
    allowing full access despite user-controls, when a user is
    tricked into a video conference or accepts some file delivery.
    And.. meanwhile, Whatsapp stores the user passwords in the
    clear.


    --- OpenXP 5.0.51
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From MRO@VERT/BBSESINF to Ogg on Thu Oct 6 23:00:17 2022
    Re: whatsapp = bad for your smartphone health
    By: Ogg to Arelor on Thu Oct 06 2022 06:59 pm

    My understanding of the vulnerability is that Whatsapp is
    allowing full access despite user-controls, when a user is
    tricked into a video conference or accepts some file delivery.
    And.. meanwhile, Whatsapp stores the user passwords in the
    clear.

    i didnt follow the link but i looked it upon my own.
    they dont think anybody knew about this issue and it was patched. who knows if that's correct. it's from sending a video file that allows remote code execution.

    what do you mean whatsapp stores user passwords in the clear?
    they are encrypted.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From Ogg@VERT/CAPCITY2 to MRO on Sat Oct 8 08:52:00 2022
    Hello MRO!

    ** On Thursday 06.10.22 - 23:00, MRO wrote to Ogg:

    i didnt follow the link but i looked it upon my own. they
    dont think anybody knew about this issue and it was
    patched. who knows if that's correct. it's from sending a
    video file that allows remote code execution.

    There were other links in the message, but yes.. the main thing
    was the video-call issue. In the cnbc article:

    "This is a big deal," Travis Ormandy, a researcher at Google
    Project Zero which discovered the bug, said on Twitter. "Just
    ++answering a call from an attacker could completely compromise
    WhatsApp."


    what do you mean whatsapp stores user passwords in the clear?
    they are encrypted.

    One of the other articles mentioned that up until 2016 the app
    didn't encrypt the pw or manage the keys properly.


    --- OpenXP 5.0.51
    * Origin: Ogg's Dovenet Point (723:320/1.9)
    ■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP
  • From MRO@VERT/BBSESINF to Ogg on Sat Oct 8 14:29:29 2022
    Re: whatsapp = bad for your smartphone health
    By: Ogg to MRO on Sat Oct 08 2022 08:52 am

    what do you mean whatsapp stores user passwords in the clear?
    they are encrypted.

    One of the other articles mentioned that up until 2016 the app
    didn't encrypt the pw or manage the keys properly.


    i don't think they know that for sure. they probably salted them somehow.

    there's a lot of services that didnt protect passwords properly. sony saved them in plain text. so did POF for a long time. dropbox has been compromised.

    you can not expect to be safe.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::