Do not share your location with your friends on WhatsApp until this issue is fixed!
Published on Apr 13, 2014
When you send your location over WhatsApp, the location image is unencrypted! Do not share your location until this bug is fixed.
Researchers at UNH discover a bug in WhatsApp’s location sending feature.
We recently discovered what we believe to be a flaw in the way WhatsApp sends location data when it downloads the location from google maps. The main issue is that the location image is unencrypted, leaving it open for interception through either a Rouge AP, or any man-in-the middle attacks. In the spirit of keeping the world a safer place, we felt that it is best to send this bug/vulnerability to the WhatsApp team directly, which we did. They responded professionally with the following message:
” Hello XXXXXX, Thank you for your report. We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform. If you have any other questions or concerns, please feel free to contact us. We would be happy to help!”
We would like to note that we think WhatsApp is a great application, and the reason for us publicizing this on the Blog is so that people will not share their location on WhatsApp until this Bug is fixed.
Below we describe our experimental setup, the results, and the ramifications.
Network Forensics Experimental Setup
The mobile traffic was captured using the Windows 7 virtual wifi miniport adapter feature. The host computer was connected to the Internet via an Ethernet cable so that the wireless card was not in use. The Ethernet connection was set to share its Internet access with the virtual wifi miniport adapter — this helped us mimic a Rouge Access Point (AP). We were now able to capture the traffic over the wireless network using NetworkMiner and Wireshark. This is explained more elaborately in the posted video.
When sending a location over WhatsApp we were able to reconstruct the location image that was sent as shown in our video. We note that the capturing of the location seems to occur only when the image was downloaded from google maps to be sent. The source was listed as google maps and the destination was the IP of the tested phone. We were not able to intercept the image until the message was sent from the phone, indicating that the download of the image did not occur until the message was actually sent. To validate our results, we ran multiple different experiments, and in one case, we installed tcpdump on the phone device, and found similar results.
When the image is being downloaded from google maps, it should be done over an encrypted tunnel.
Anyone, including the service providers will be able to collect this information — and anyone that sets up a rouge AP, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the locations being sent from a phone.
Science & Technology
Standard YouTube License
Thumbnail47:33 Lumea lui Banciu – 14 aprilie 2014 – emisiune completa by B1TVChannel 1,702 views
Thumbnail45:49 The End of the Universe: Big Crunch, Big Chill or Big Rip? by HD Universe Channel 257,066 views
Thumbnail5:23 Viber Security Vulnerabilities: Images, Doodles, Location and Videos sent over Viber is unencrypted by UNHcFREG 5,839 views
Thumbnail3:18 HOW TO Spy on Whatsapp messages (100% FREE) MUST SEE ,MUST HAVE by MrWakeupProductive 191,719 views
Thumbnail12:31 Jordan Belfort: “Insanity happens.” by CNN 340,196 views
Thumbnail1:10 [HD] Nivaldo Prieto chora ao falar de Luciano do Valle | Gol | 20/04/2014 by RenJG+ 8,927 views
Thumbnail58:52 Strain Hunters India Expedition (FULL HD MOVIE) by greenhouseseeds 2,267,676 views
Thumbnail5:07 Dard Dilon ke Kam Ho Jaate Full SOng Lyrics.. | The Expose by pria songs 79,857 views
Thumbnail12:03 Nokia X Unboxing + Full Demo and First Impressions (White) by Danny Winget 37,579 views
Thumbnail3:51 ULTRA STREET FIGHTER IV プレイ解説 ヒューゴー編 by taitochannel 26,490 views
Thumbnail3:06 Bebezinho Discutindo Hora de Dormir Com o Pai !!! by lucianolusela 81,953 views
Thumbnail4:35 WhatsApp para PC (YouWave 4.1.1 FULL) 2014 by Tuto.Ze.Bra 10,450 views
Thumbnail52:52 Angra 2001 Rebirth Full Album by Roberto Silveira 31,689 views
Thumbnail23:15 Top 20 Best Android Apps 2014 by Explore Gadgets 532,879 views
Thumbnail1:26:39 Malware Hunting with the Sysinternals Tools by TECHED 26,651 views
Thumbnail9:49 TEENS REACT TO SMARTPHONES by TheFineBros 4,134,219 views
Thumbnail1:04:29 Night Of a Thousand Laughs |Volume 16| by AFRICAplus TV 190,002 views
Thumbnail12:05 Climate Change 2014: Impacts, Adaptation, and Vulnerability by IPCCGeneva 17,323 views
Thumbnail5:03 Top 5 Worst Phones Ever! by Austin Evans 1,727,765 views
Thumbnail21:30 Octodad – Dadliest Catch – Aquarium  by iBallisticSquid 773,250 views
Press & Blogs
Creators & Partners
Policy & Safety
Try something new!