Urgent: WhatsApp Android Stores User Messages Unencrypted on SD Card

By Major Burdock, The Goldwater · 05-22-2017
Photo credit: Kheng Ho Toh | Dreamstime.com

…developing…

According to nightwatchcybersecurity.com:

"WhatsApp Messenger for Android does not delete sent and received files from the SD card on the device when chats are cleared, deleted or the application is uninstalled from the device. Additionally, the application stores sent and received files in the SD card without encryption where they are accessible to any applications with storage permissions."

"The vendor (Facebook) doesn’t consider these to be security issues and does not plan to fix them. MITRE has assigned CVE-2017-8769 for these issues. It is also unclear whether platforms other than Android are affected."

Both sent and received files are retained here:

/WhatsApp/Media/

Facebook's response to nightwatchcybersecurty.com:

"Thanks again for your report. We contacted the WhatsApp team about your report, and they confirmed that the behavior you describe is intentional. They designed the Android app to optimize for the storage space available on devices and allow media in WhatsApp to be visible in other apps like the Google Photos gallery. WhatsApp doesn’t assume that clearing the chat means clearing the media files as well. While the behavior might change in the future, we currently don’t have any plans to do so."

Please visit the source link below for instructions on how to mitigate.

…developing…

Source:

https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-whatsapp-for-android-privacy-issues-with-handling-of-media-files-cve-2017-8769/

<<Back
Hide Comment
What do you think about this article?
Name
Email
Subject
Comment *
File

All articles >>