An Android developer’s disclosure that it’s possible to hack into the WhatsApp database and read the text of the chats from another application could be a big headache for Facebook, which has agreed to purchase the app for US$19 billion.
“This is not a bug, but a design decision of WhatsApp,” Bas Bosschert, chief technology officer of Double Think, told LinuxInsider.
“They selected for usability in their design, not security,” he continued. “I didn’t find anything new — I only showed how people could abuse this flaw with a working proof of concept.”
The flaw works if the database backup capability is enabled, which it apparently is by default, commenters on Bosschert’s blog post said.
Although WhatsApp had encrypted its database in February, that encryption is available only in new installations, and updates still use the old, unencrypted version, Bosschert remarked.
Facebook and WhatsApp did not respond to our request to comment for this story.
The process seems straightforward — Bosschert created a PHP script to store the database on a Web server, created an Eclipse project with some additional lines in the AndroidManifest.xml file, and grabbed the mststore.db and wa.db WhatsApp files, which are unencrypted.
His application displayed a simple loading screen during that process so users wouldn’t notice their WhatsApp database was being pilfered.
The hack is possible because the WhatsApp database used to be written in SQLite3. Openssl apparently also could be used to hack the database.
Although it appears WhatsApp encrypted the msgstore.db database using the .crypt utility, it’s still possible to read chats from the encrypted database by creating a simple Python script, which converts it to a plain SQLite 3 database.