A group of researchers discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.

Security issues related to WhatsApp application are not a novelty, so popular application are continuously targeted by hackers and security experts that search for vulnerabilities to exploit. Early 2014 experts at Praetorian have been conducting the Project Neptune to assess the security for designing and maintenance of mobile apps, including WhatsApp.

The researchers  discovered different security issues in the way WhatApp implements SSL, the principal one is the lack of enforcing the “certificate pinning“ which exposed users to the risk of man-in-the-middle attacks, but the company after different alert fixed the flaws.

A last bug discovered in WhatsApp app exposes user’s location to attackers, in particular under analysis there is the WhatsApp “Location Share” feature.

According to Researchers at UNH Cyber Forensics Research & Education Group, the location sharing feature implemented by WhatsApp  could expose user’s location to attackers and Intelligence Agencies.

As illustrated by colleagues at The Hacker News in order to share their location on WhatsApp, users need to first locate themselves on Google Map within the app window.

Once the user has selected the position, WhatsApp fetches it and takes an image from the Google Map service, the thumbnail is then shared as the message icon. In this phase the user’s location is exposed because WhatsApp downloads the image through an unencrypted channel from Google allowing an attacker to capture it with a Man-in-the-middle attack.

Below the video Proof of Concept:

“We were not able to intercept the image until the message was sent from the phone, indicating that the download of the image did not occur until the message was actually sent.” researcher said.

In order to perform the MITM attack, the bad actor must be in the same network, this means the attacker must be around its victim, probably already knowing his location … but if an attacker is able to conduct a MITM attack on a large scale, the scenario changes.

 “such short-range dependency makes this vulnerability of very low severity level for normal attackers, but spy agencies like NSA or GCHQ, those are capable to perform large scale MITM attacks, could exploit this flaw to trace users’ locationnation-wide.” explained in a comment by Mohit Kumar.

Pierluigi Paganini

(Security Affairs –  WhatsApp, mobile)