Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

WhatsApp

19th December 2017

Finding

WhatsApp servers support the weak protocol SSLv3. This protocol is vulnerable to the POODLE vulnerability. The WhatsApp servers are not vulnerable since they support TLS_FALLBACK_SCSV. However SSLv3 is no longer considered a secure protocol and should no longer be used.
In addition the WhatsApp servers support ciphersuites with the RC4 cipher. This is vulnerable to several vulnerabilities include the Bar-mitzvah Attack and the NOMORE Attack.

whatsapp-2

Resolution

Issue still remains as of 19 December 2017.

Vendor Notification

  • 9 November 2017 - Sent email to support team asking for appropriate channel to report issue.
  • 10 November 2017 - Sent details via support email to WhatsApp support team.
  • 15 November 2017 - Followed up asking for an update from WhatsApp support team.
  • 17 November 2017 - Recieved response from WhatsApp support team.
  • 18 November 2017 - Followed up with WhatsApp support team details about finding.
  • 22 November 2017 - Recieved from WhatsApp support team stating that issue would not be addressed immediately.
  • 22 November 2017 - Sent reponse to WhatsApp support team asking for a time frame as to when the issue would likely be addressed, no reponse given.

View Comments