WhatsApp servers support the weak protocol SSLv3. This protocol is vulnerable to the POODLE vulnerability. The WhatsApp servers are not vulnerable since they support TLS_FALLBACK_SCSV. However SSLv3 is no longer considered a secure protocol and should no longer be used.
In addition the WhatsApp servers support ciphersuites with the RC4 cipher. This is vulnerable to several vulnerabilities include the Bar-mitzvah Attack and the NOMORE Attack.
Issue still remains as of 19 December 2017.
- 9 November 2017 - Sent email to support team asking for appropriate channel to report issue.
- 10 November 2017 - Sent details via support email to WhatsApp support team.
- 15 November 2017 - Followed up asking for an update from WhatsApp support team.
- 17 November 2017 - Recieved response from WhatsApp support team.
- 18 November 2017 - Followed up with WhatsApp support team details about finding.
- 22 November 2017 - Recieved from WhatsApp support team stating that issue would not be addressed immediately.
- 22 November 2017 - Sent reponse to WhatsApp support team asking for a time frame as to when the issue would likely be addressed, no reponse given.