Facebook no doubt did its due diligence before acquiring messaging app firm WhatsApp for more than the gross domestic product of Iceland. But now that the deal’s been announced, the privacy community is subjecting the company to its own form of scrutiny, and finding a lot not to like.
On Thursday, researcher of the security firm Praetorian outlined a series of oversights in how WhatsApp ensures the encryption of its users’ communications, the latest in a series of concerns raised over the degree to which the company protects its 450 million users’ privacy from hackers, spies and now its new owners at Facebook.
Researcher points to the lack of the SSL encryption safeguard known as “certificate pinning,” which prevents the forgery of the digital certificate proving that an app or website is sending encrypted information to the intended recipient. SSL’s certificate forgery problem has come to light as certificate authority firms including Diginotar and Comodo have been hacked to create false credentials and perform “man-in-the-middle” attacks that would invisibly intercept data despite supposed SSL encryption. Though the attack would require a certain level of sophistication, WhatsApp could have easily prevented it with certificate pinning, researcher points out. “It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic.