What's Up with WhatsApp? – A Critique of Security Challenges at the World's Largest VoIP App

Jeff Phillips, Code Siren, LLC

27 August 2023 - Industry

Introduction

WhatsApp is the world's largest VoIP app. As of August 2023, it had over 2.74 billion active users worldwide[1]. It is used by people in over 180 countries and territories. WhatsApp's VoIP calling feature allows users to make free voice calls to other WhatsApp users, regardless of their location. The calls are relatively high-quality and clear, using very little data, but there is a price for this convenience. In this Code Siren, LLC article, we will explore the many historical vulnerabilities of WhatsApp and the real expense of using an insecure communications platform.

As of August 14, 2023, 59 vulnerabilities have been found on WhatsApp[2]. Seven vulnerabilities have been classified as critical, 17 as high, 12 as medium, and one incident was classified as low. The most recent vulnerability was found in September 2022 and allowed attackers to execute remote code on a victim's device by sending a specially crafted video call.

Background

WhatsApp was founded by two geniuses, Jan Koum and Brian Acton, in February 2009. Koum and Acton met while working at Yahoo. Koum was born in Ukraine in 1976 and moved to the United States when he was 16. Acton was born in Boston, Massachusetts, in 1972. He graduated from the Worcester Polytechnic Institute with a degree in computer science.

Koum and Acton were skilled programmers, and both excelled at marketing[3]. The self-taught engineers were able to identify a need for a simple, reliable, and secure messaging app, and they were able to execute their vision. The idea for WhatsApp came to Koum when he was trying to find a way to stay in touch with his friends without paying for text messages. He wanted to create an app that was simple and easy to use, allowing people to send messages for free[4].

WhatsApp was initially released for the iPhone, and it quickly became popular. 2010, it was released for Android devices, and its popularity exploded. By 2014, WhatsApp had over 450 million users.

In October 2014, Facebook (now Meta) acquired WhatsApp for $19 billion[5]. Koum and Acton remained as the company's CEO and co-CEO, respectively. However, Acton left in September 2017, and Koum left the following year in April 2018[6].

The Facebook Era

One of the most significant changes after the Meta acquisition is WhatsApp has become more integrated with Facebook. For example, users can now use their Facebook accounts to sign up for WhatsApp, and WhatsApp messages can be synced with Facebook Messenger. This integration has been criticized by some users concerned about their privacy.

Another change is that WhatsApp has started to introduce more advertising. In 2018, the company announced that it would start showing ads in status updates. This was a departure from WhatsApp's previous policy of not showing ads[7].

Despite these changes and the vulnerabilities listed below, WhatsApp enjoys being the most popular messaging app in the world. However, the platform is still recognized for its alleged secure messaging features and privacy claims. The app continues to be extremely popular in developing countries and is often used as a substitute for SMS messaging.

The future of WhatsApp is uncertain. The app might continue to grow in popularity or face competition from other, more secure apps, such as Telegram, Signal, and post-quantum cryptography messaging startups. However, the app is still well-positioned to remain a major player in the messaging market.

Communication Protocols

WhatsApp uses the open and free XMPP for data transmission. XMPP denotes the Extensible Messaging and Presence Protocol[8]. It is an open, XML-based protocol for instant messaging, presence, and other forms of real-time data communication. XML stands for Extensible Markup Language[9]. It is a markup language that stores and transports data. XML is a text-based format, meaning humans and machines can read and understand it.

XMPP is a decentralized protocol, meaning that there is no central authority that controls it. WhatsApp uses a modified XMPP version optimized for mobile devices and low-bandwidth networks. The XMPP protocol facilitates the exchange of messages between users and handles other features such as group voice, chat, video calls, and file sharing.

Since XMPP is a client-server protocol for messaging and presence, clients connect to servers to send and receive messages. Messages are sent in XML format and processed by the server. The server then delivers the messages to the intended recipients. XMPP also supports presence, allowing clients to track other users' online status. XMPP is an open standard, meaning anyone can create their servers and clients. This allows different servers to communicate with each other.

WhatsApp Cyber Attacks and Vulnerabilities:

1)   In January 2012, WhatsApp experienced a security breach that exposed the phone numbers of 450,000 users. The bug was caused by a flaw in how WhatsApp synced contacts with the phone's address book. When a user syncs their contacts with WhatsApp, the app also sends the user's phone number to WhatsApp's servers. This information was then accessible to hackers who could exploit the bug[10].

WhatsApp quickly fixed the bug, but some users were still affected. The company advised users to change their passwords and to be wary of any unsolicited messages that they received. This security breach was a major setback for WhatsApp, which was still a relatively new app. However, the company recovered from the incident and has since become one of the most popular messaging apps in the world.

2)   In December 2012, researchers from the University of New Hampshire Cyber Forensics Research & Education Group (UNH) discovered a design flaw in WhatsApp's protocol that allowed attackers to track users' locations. The flaw was in the way that WhatsApp handled the location-sharing feature. When a user shares their location on WhatsApp, the app sends the location data to the other party, but it also sends the location data to WhatsApp's servers. This meant that an attacker who could gain access to WhatsApp's servers could track the location of any user who had shared their location[11].

WhatsApp fixed the flaw in January 2013. The vulnerability exposed user's locations and could be used to track their movements. The exploit also exposed the affected users to be targeted with advertising. The location could have been sold to third parties.

3)   In March 2013, an exploit that affected 700 million users was discovered by security researchers at FireEye, allowing attackers to exploit a flaw in how WhatsApp handled contact lists. This allowed attackers to send a specially crafted message to a victim that, when opened, would steal the victim's contact list and send it back to the attacker[12].

WhatsApp patched the vulnerability on March 31, 2013. However, it is important to note that the exploit was only present in the Android version of WhatsApp. The iOS version of WhatsApp was not affected.

4)   In January 2014, a vulnerability was discovered in WhatsApp's iOS app that allowed attackers to access users' photos and videos. The exploit was caused by a bug in how WhatsApp handled image thumbnails. The bug allowed attackers to create a malicious image that, when opened by a WhatsApp user, the attacker could access the user's photo library[13].

WhatsApp released a patch for the exposure on January 28, 2014. However, some users may have been affected by the vulnerability before the patch was released. The bug was discovered by Bas Bosschert, a security researcher who found the vulnerability affected WhatsApp versions 2.11.1 and earlier, which affected 450 million iPhone/iOS users.

5)   In February 2015, an exploit was discovered in WhatsApp's web client that allowed attackers to steal users' chat history. The vulnerability was caused by a bug in how WhatsApp handled cookies. The bug allowed attackers to create a malicious website that would steal the user's cookies when a WhatsApp user visits. These cookies contained the user's chat history, which the attacker could then access. Although WhatsApp also patched that vulnerability quickly, 100 million users were exposed to the vulnerability[14].

6)   In May 2016, a security vulnerability in WhatsApp's server allowed hackers to access the phone numbers of 1.6 million users. The vulnerability was caused by a bug in how WhatsApp handled contact changes. When a user changes their phone number, WhatsApp does not properly update the contact information on its servers. This allowed hackers to exploit the vulnerability to obtain the phone numbers of other users[15].

WhatsApp quickly patched the vulnerability, but some users were still affected. The company advised users affected by the exploit and offered them a free subscription to its premium service.

7)   In January 2017, WhatsApp experienced a bug in its contact syncing feature that allowed users to see each other's phone numbers in their contact lists. The bug was caused by a misconfiguration in WhatsApp's servers, fixed within a few hours. However, some users were still affected by the bug and could see the phone numbers of other users they were not in contact with[16].

WhatsApp issued a statement apologizing for the bug, and it offered users a way to reset their contact lists and remove any phone numbers they had seen as a result of the bug. The company also said it was taking steps to prevent a similar bug from happening. The bug was a serious privacy issue, raising concerns about the security of WhatsApp's contact syncing feature. WhatsApp never released official figures on affected users, and estimates from third-party sources varied widely. Some reports suggested that as many as 100 million users may have been affected, while others put the figure closer to 10 million. Likely, the true number of affected users fell somewhere in between.

8)   In April 2017, a major vulnerability was discovered in WhatsApp's voice-calling feature that allowed attackers to listen to users' calls. The vulnerability was caused by a bug in how WhatsApp handled audio streams. The bug allowed attackers to intercept audio streams between two WhatsApp users and listen to the calls in real time. Karsten Nohl, a security researcher, discovered the vulnerability[17].

The vulnerability affected WhatsApp versions 2.16.34 and earlier and wasn't fixed until WhatsApp version 2.16.36. The vulnerability affected an estimated 300 million users.

9)   In May 2018, security researchers at Check Point Software Technologies discovered a vulnerability in WhatsApp's status feature that allowed attackers to see users' status updates without permission. The vulnerability existed in the way that WhatsApp handled links in status updates. If an attacker sent a link to a malicious website in a status update, and the victim clicked on the link, the attacker could see the victim's status updates[18].

The vulnerability affected all versions of WhatsApp up to and including version 2.18.100. WhatsApp released a patch for the vulnerability on May 10, 2018. Check Point estimated that the vulnerability could have affected 200 million WhatsApp users.

10)   In May 2019, WhatsApp disclosed a major vulnerability in its voice call function that could have allowed hackers to install spyware on users' devices. The vulnerability was said to affect 1.5 billion users of the app. The vulnerability was exploited by spyware called Pegasus, developed by the Israeli company NSO Group, which develops spyware for governments and nefarious organizations. Pegasus can track users' location, record calls, and read messages[19].

To exploit the vulnerability, an attacker must make a voice call to the victim's phone. The spyware could still be installed even if the victim did not answer the call.

11)   In November 2019, WhatsApp disclosed a vulnerability in its web client that could have allowed hackers to steal users' contact lists. The vulnerability was said to affect 200 million users of the app. NSO Group exploited the vulnerability. As with the May 2019 vulnerability, the spyware, the same software that created the exploit, was Pegasus[20].

The attacker sends a specially crafted link to the victim to exploit the vulnerability. If the victim clicks the link, the attacker could steal their contact list.

12)   In January 2020, WhatsApp disclosed a vulnerability in its group chat feature that could have allowed hackers to add users to groups without their permission. The vulnerability was said to affect 140 million users of the app[21].

NSO Group, the same Israeli company from previous attacks, exploited the vulnerability. The exploit allowed the attacker to send a specially crafted link to the victim. If the victim clicked on the link, the attacker could add them to a group chat without permission. WhatsApp released a patch for the vulnerability on January 21, 2020. However, some users may not have updated their apps, leaving them vulnerable to attack.

13)   In March 2021, WhatsApp disclosed a vulnerability in its voice-calling feature that could have allowed hackers to listen to users' calls. The vulnerability was said to affect 100 million users of the app. The vulnerability was exploited by the same group from previous attacks, NSO Group. The spyware used to exploit the March 2021 vulnerability was the same application, Pegasus[22].

14)   In February 2022, WhatsApp disclosed an exploit in its status feature that allowed hackers to see users' status updates without permission. The vulnerability was caused by a bug in how WhatsApp handles the caching of status updates. This bug allowed hackers to trick WhatsApp into caching a status update even if the user had set their privacy settings to prevent others from seeing it[23].

The vulnerability affected all versions of WhatsApp up to and including version 2.22.16.2. WhatsApp released a patch for the vulnerability on February 14, 2022. According to WhatsApp, the vulnerability was not exploited in the wild. However, the company estimated that the vulnerability may have affected up to 50 million users.

15)   In September 2022, a vulnerability found on WhatsApp was CVE-2022-36934, which WhatsApp disclosed on September 22, 2022. This critical security flaw could allow attackers to execute remote code on a victim's device by sending a specially crafted video call. The vulnerability affects WhatsApp versions before 2.22.10.70 for Android and 2.22.10.71 for iOS[24].

The source of the vulnerability is not publicly known, but it is believed to have been discovered by a security researcher. WhatsApp has released a patch for this vulnerability, and users were encouraged to update their app to the latest version to protect themselves from CVE-2022-36934.

16)   On November 16, 2022, a database of 487 million WhatsApp user records was leaked online. The records included phone numbers, email addresses, and other personal data. The leak was likely caused by a security vulnerability in WhatsApp's systems[25].

WhatsApp has denied that a security vulnerability in its systems caused the leak. However, the company has not provided any other explanation for how the leak occurred.

As of August 2023, according to the Security Scorecard, there have been 59 documented vulnerabilities since 2018[26].

WhatsApp'a Security Present Day

WhatsApp is a popular messaging app with end-to-end encryption to protect users' messages. However, some security threats that WhatsApp users must be aware of still exist. These threats include malware attacks, SIM swapping, and man-in-the-middle attacks[27].

      ⦁    Malware attacks are carried out by sending malicious links or attachments that, when opened, can install malware on a user's device. This malware can then steal personal information or take control of the device.

      ⦁   SIM swapping is an attack where hackers take control of a victim's phone number by convincing the victim's mobile carrier to switch their SIM card to a new device. This gives the hackers access to the victim's WhatsApp account and all their messages.

      ⦁    Man-in-the-middle attacks allow hackers to intercept messages between two users. This can be done by setting up a fake Wi-Fi network or exploiting a WhatsApp vulnerability.

There are numerous things that WhatsApp users can do to protect themselves from these security threats, including:

      ⦁   Keeping their devices updated: WhatsApp regularly releases security updates that fix vulnerabilities. It is important to install these updates as soon as they are available.

      ⦁    Avoid clicking on links and attachments: If a link or attachment looks suspicious, it likely is.

      ⦁   Using a strong password for their WhatsApp account: A complicated password will make it more difficult for hackers and malicious parties to access the account.

      ⦁    Enabling two-factor authentication: Two-factor authentication augments an extra layer of security to WhatsApp accounts.

      ⦁   Reduce your dependence on WhatsApp as a primary communications application. There are many safer options on the market.

      ⦁   Consider a quantum-proof messenger or a collaboration platform that is not centralized, such as Polynom.

It is important to remember that no security measure is flawless. It is always possible for hackers to find new ways to attack WhatsApp users. Therefore, it is important to be aware of the latest security threats and to take steps to protect oneself.

This last major leak has raised concerns about WhatsApp's users' data security. This leaked data could be used for malicious purposes, such as phishing, spam, identity theft, or even worse, political crackdowns and mass arrests.

The Law Enforcement Viewpoint

The FBI and law enforcement community have mixed opinions of WhatsApp[28]. On the one hand, they see it as a valuable tool for communication and collaboration. WhatsApp groups can be used to share information quickly and easily, and they can also be used to build relationships with informants and community members. Additionally, WhatsApp's end-to-end encryption makes it a secure platform for communication, which is important for law enforcement officials who often handle sensitive information.

On the other hand, the FBI and LE community also worry that criminals can use WhatsApp to communicate without fear of being intercepted. Additionally, WhatsApp's privacy features can make obtaining evidence in criminal investigations difficult for LE[29].

In recent years, there have been several high-profile cases where criminals have used WhatsApp to communicate with each other. For example, in 2015, the Islamic State of Iraq and Syria (ISIS) used WhatsApp to coordinate terrorist attacks in Paris[30]. And in 2016, the Mexican drug cartel Los Zetas used WhatsApp to communicate with each other and plan murders[31].

These cases have led some Federal officials to call for WhatsApp to weaken its encryption features so that they can more easily access evidence in criminal investigations[32]. However, WhatsApp has lightly resisted these calls, arguing that weakening its encryption would make it less secure for everyone.

Ultimately, the LE community's opinion of WhatsApp will likely remain mixed. The platform offers benefits and drawbacks for authorities, and the comparative importance of these factors varies depending on the specific circumstances.

WhatsApp Technology Stack

The technology stack of WhatsApp is a combination of open-source and proprietary software[33]. The main components of the stack are:

      ⦁   Erlang: WhatsApp uses the Erlang programming language and its runtime environment for scalable and concurrent applications. Known for its fault tolerance, scalability, and concurrency. WhatsApp uses Erlang because it is well-suited for handling the massive traffic it receives. Erlang is designed to handle large numbers of concurrent connections and messages, and it can recover from failures without bringing down the entire system.

      ⦁    FreeBSD: An open-source Unix-like operating system that runs WhatsApp's servers. FreeBSD is known for its stability and security, which are important factors for a messaging platform.

      ⦁   Ejabberd: An open-source XMPP (mentioned earlier) server that WhatsApp uses to handle messaging and presence. XMPP is a standard real-time messaging protocol, making it suitable for WhatsApp.

      ⦁    BEAM: The Erlang virtual machine that executes Erlang code. BEAM is responsible for managing the execution of Erlang programs and ensuring that they run efficiently.

      ⦁   Mnesia: An Erlang-based database, WhatsApp stores data such as user profiles, messages, and groups. Mnesia is a fault-tolerant database that is well-suited for storing constantly changing data.

      ⦁    Yaws: An Erlang-based web server, WhatsApp uses CSS files to serve static content such as images. Yaws is a lightweight web server that is well-suited for serving static content.

Conclusion

Even though WhatsApp remains a popular messaging app billions of people use worldwide, it has been criticized for its security vulnerabilities. As we have seen in recent years, several high-profile security breaches have exposed the personal data of many WhatsApp users.

CVE-2019-18426 was one of the most serious vulnerabilities of all time, allowing attackers to take control of a WhatsApp user's account without their knowledge. The attackers could then read the user's messages, send messages on their behalf, and even make calls[34].

CVE-2021-24027, discovered in 2021, also hurt WhatsApp's reputation[35]. This vulnerability allowed attackers to enact a man-in-the-disk attack and track the location of WhatsApp users without their knowledge. The attackers could also see the contacts of WhatsApp users and the groups they were a part of.

WhatsApp has taken steps to address these existing security vulnerabilities. This includes releasing security patches to fix the vulnerabilities and implementing new security features to prevent similar vulnerabilities from being exploited.

However, users need to be aware there are many possible zero-hour and zero-day vulnerabilities to be discovered in the future. Zero-hour vulnerabilities are unknown to the software vendor, and no patch has been released. Zero-day vulnerabilities are even more serious because users cannot patch them, and attackers can exploit unauthorized access to devices or systems.

As stated above, here are some tips for users to stay safe on WhatsApp:

      ⦁    Keep your WhatsApp app up to date. WhatsApp regularly releases security patches, so installing them as soon as they are available is important.

      ⦁    Be careful about what links you click on. Attackers successfully send malicious links to WhatsApp users to exploit vulnerabilities. If you receive a link from someone you don't know, it is best to avoid clicking on it.

      ⦁    Use strong passwords and two-factor authentication. Complicated passwords and two-factor authentication can help prevent your account from unauthorized access.

      ⦁    Be aware of the risks of using WhatsApp in public places and public Wi-Fi. If you use WhatsApp publicly, be aware of Pineapples[36] and be careful about what information you share. Attackers could be listening in on your conversations.

By following these tips, you can help to protect yourself from security vulnerabilities on WhatsApp.

Footnotes:

  • [1] https://www.statista.com/statistics/1306022/whatsapp-global-unique-users/
  • [2] https://www.cvedetails.com/product-list/vendor_id-19851/Whatsapp.html
  • [3] https://campuspress-test.yale.edu/tribune/how-jan-koum-became-a-tech-titan/
  • [4] https://hbr.org/2016/07/whatsapp-grew-to-one-billion-users-by-focusing-on-product-not-technology
  • [5] https://aswathdamodaran.blogspot.com/2014/02/facebook-buys-whatsapp-for-19-billion.html
  • [6] https://www.cnbc.com/2018/09/26/whatsapp-co-founder-explains-why-he-left-facebook.html
  • [7] https://www.theverge.com/2018/11/1/18051294/whatsapp-status-advert-instagram-stories
  • [8] Everything About XMPP - Extensible Messaging & Presence Protocol. https://www.cometchat.com/blog/xmpp-extensible-messaging-presence-protocol
  • [9] A Really, Really, Really Good Introduction to XML. https://www.sitepoint.com/really-good-introduction-xml/
  • [10] https://tweakers.net/nieuws/79321/whatsapp-status-van-anderen-is-nog-steeds-te-wijzigen.html
  • [11] https://securityaffairs.com/24060/hacking/intelligence-exploit-whatsapp-bug-track-users-location.html
  • [12] https://thehackernews.com/2015/02/whatsapp-web-malware.html
  • [13] https://www.hackread.com/whatsapp-web-has-vulnerability-that-could-expose-user-photos/
  • [14] https://blog.checkpoint.com/research/whatsapp-maliciouscard-vulnerabilities-allowed-attackers-to-compromise-hundreds-of-millions-of-whatsapp-users/
  • [15] https://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/?sh=521e22eb178b
  • [16] https://eprint.iacr.org/2017/713
  • [17] https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls
  • [18] https://research.checkpoint.com/2018/fakesapp-a-vulnerability-in-whatsapp/
  • [19] https://arstechnica.com/information-technology/2019/05/whatsapp-vulnerability-exploited-to-infect-phones-with-israeli-spyware/
  • [20] https://www.wsj.com/articles/alleged-spy-attack-via-whatsapp-sparks-concern-in-india-11572640154
  • [21] https://techcrunch.com/2020/09/03/whatsapp-security-flaws/
  • [22] https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
  • [23] https://techcrunch.com/2022/09/27/whatsapp-critical-security-bug/
  • [24] https://nvd.nist.gov/vuln/detail/CVE-2022-36934
  • [25] https://cybernews.com/news/whatsapp-data-leak/
  • [26] https://www.cvedetails.com/product-list/vendor_id-19851/Whatsapp.html
  • [27] https://www.makeuseof.com/tag/4-security-threats-whatsapp-users-need-know/
  • [28] https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/
  • [29] https://www.forbes.com/sites/thomasbrewster/2017/01/22/whatsapp-facebook-backdoor-government-data-request/?sh=157ee4941030
  • [30] https://www.wsj.com/articles/how-islamic-state-weaponized-the-chat-app-to-direct-attacks-on-the-west-1476955802
  • [31] https://www.counteringcrime.org/cyberspace-newly-contested-turf-for-gangs-and-cartels
  • [32] https://www.justsecurity.org/79549/we-now-know-what-information-the-fbi-can-obtain-from-encrypted-messaging-apps/
  • [33] https://webo.digital/blog/whatsapp-tech-stack-explored/
  • [34] https://www.whatsapp.com/security/advisories/archive?lang=en_US
  • [35] https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/#
  • [36] https://www.vice.com/en/article/pa39xv/pineapple-wifi-how-to-mitm-hack