Unless you’ve been living under a rock the past week, you probably heard about Facebook’s purchase of the WhatsApp messaging service for the same price of a small island, or all of Iceland’s annual GDP.
While the internet has been abuzz ever since with speculation as to why the price was set so high, it’s clear that Facebook isn’t willing to ignore the app’s massive success, currently tipping just over the 450 million user mark with another million being added every single day.
As of the purchase, Facebook’s own messaging program is in a close third behind WhatsApp, only lagging behind their figures by a few million users…so why was Facebook so keen on picking up the chat client for a wallet-crunching $16 billion last Monday?
Even though the reasons for the overzealous valuation are still anyone’s guess, it’s the gaping security flaws in several different portions of the app’s code and encryption technique that has got privacy and security professionals worried the most.
First and perhaps most worryingly, is WhatsApp’s reliance on the aging version two of SSL encryption, which is already vulnerable to several well-known attacks that don’t require high levels of knowledge or processing power to execute.
Agencies like the NSA could slurp this data up by the mouthful and have its contents cracked within hours, and that’s not even including the gaping hole in WhatsApp’s lack of certificate pinning. Pinning is a process that many applications and programs across all platforms depend on to verify the validity of their digital certificates.
“This is the kind of stuff the NSA would love,” Praetorian’s Paul Jauregui wrote. “It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk.
WhatsApp has been in this position before, more specifically in October of last year when a computer science student from Utrecht University in the Netherlands pointed out a fatal encryption bug that allowed anyone with even a rudimentary understanding of the algorithm to crack it with ease.