There is a security hole in WhatsApp, the instant messaging platform just purchased by Facebook for $19 billion.
The flaw can allow attackers to gain access to the private chats of Android device owners.
Bas Bosschert, the researcher that found the vulnerability, said any Android app allowed access to the SD card installed on the device can easily access private conversations.
All chats end up saved in a database file (msgstore.db) stored on the SD card. Bosschert has developed a proof-of-concept which demonstrates that any app granted permission to access the card can easily retrieve the database and upload it to a remote server.
Bosschert said in newer versions of WhatsApp, the database file ends up encrypted. However, this doesn’t mean that users’ private chats are secure. It just means an attacker would have to decrypt the database file to gain access to its contents.
The decryption key is in WhatsApp Xtract, an app that allows users to create backups of WhatsApp conversations.
The POC developed by the researcher is so that when the database ends up retrieved, the victim only sees a simple loading screen. Cybercriminals could combine the data-stealing code with a popular application to harvest a large number of databases.