WhatsApp servers support the weak protocol SSLv3. This protocol is vulnerable to the POODLE vulnerability. The WhatsApp servers are not vulnerable since they support TLS_FALLBACK_SCSV. However SSLv3 is no longer considered a secure protocol and should no longer be used.
In addition the WhatsApp servers support ciphersuites with the RC4 cipher. This is vulnerable to several vulnerabilities include the Bar-mitzvah Attack and the NOMORE Attack.



Issue still remains as of 19 December 2017.

Vendor Notification

  • 9 November 2017 - Sent email to support team asking for appropriate channel to report issue.
  • 10 November 2017 - Sent details via support email to WhatsApp support team.
  • 15 November 2017 - Followed up asking for an update from WhatsApp support team.
  • 17 November 2017 - Recieved response from WhatsApp support team.
  • 18 November 2017 - Followed up with WhatsApp support team details about finding.
  • 22 November 2017 - Recieved from WhatsApp support team stating that issue would not be addressed immediately.
  • 22 November 2017 - Sent reponse to WhatsApp support team asking for a time frame as to when the issue would likely be addressed, no reponse given.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.