Researchers at UNH discover a bug in WhatsApp's location sending feature.
We recently discovered what we believe to be a flaw in the way WhatsApp sends location data when it downloads the location from google maps. The main issue is that the location image is unencrypted, leaving it open for interception through either a Rouge AP, or any man-in-the middle attacks. In the spirit of keeping the world a safer place, we felt that it is best to send this bug/vulnerability to the WhatsApp team directly, which we did. They responded professionally with the following message:
" Hello XXXXXX, Thank you for your report. We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform. If you have any other questions or concerns, please feel free to contact us. We would be happy to help!"
We would like to note that we think WhatsApp is a great application, and the reason for us publicizing this on the Blog is so that people will not share their location on WhatsApp until this Bug is fixed.
Below we describe our experimental setup, the results, and the ramifications.
Network Forensics Experimental Setup
The mobile traffic was captured using the Windows 7 virtual wifi miniport adapter feature. The host computer was connected to the Internet via an Ethernet cable so that the wireless card was not in use. The Ethernet connection was set to share its Internet access with the virtual wifi miniport adapter – this helped us mimic a Rouge Access Point (AP). We were now able to capture the traffic over the wireless network using NetworkMiner and Wireshark. This is explained more elaborately in the posted video.
When sending a location over WhatsApp we were able to reconstruct the location image that was sent as shown in our video. We note that the capturing of the location seems to occur only when the image was downloaded from google maps to be sent. The source was listed as google maps and the destination was the IP of the tested phone. We were not able to intercept the image until the message was sent from the phone, indicating that the download of the image did not occur until the message was actually sent. To validate our results, we ran multiple different experiments, and in one case, we installed tcpdump on the phone device, and found similar results.
When the image is being downloaded from google maps, it should be done over an encrypted tunnel.
Anyone, including the service providers will be able to collect this information – and anyone that sets up a rouge AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the locations being sent from a phone.