Categories: HackingSecurity

Intelligence could exploit Whatsapp bug to track users location

A group of researchers discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers.

Security issues related to WhatsApp application are not a novelty, so popular application are continuously targeted by hackers and security experts that search for vulnerabilities to exploit. Early 2014 experts at Praetorian have been conducting the Project Neptune to assess the security for designing and maintenance of mobile apps, including WhatsApp.

The researchers  discovered different security issues in the way WhatApp implements SSL, the principal one is the lack of enforcing the “certificate pinning“ which exposed users to the risk of man-in-the-middle attacks, but the company after different alert fixed the flaws.

A last bug discovered in WhatsApp app exposes user’s location to attackers, in particular under analysis there is the WhatsApp “Location Share” feature.

According to Researchers at UNH Cyber Forensics Research & Education Group, the location sharing feature implemented by WhatsApp  could expose user’s location to attackers and Intelligence Agencies.

As illustrated by colleagues at The Hacker News in order to share their location on WhatsApp, users need to first locate themselves on Google Map within the app window.

Once the user has selected the position, WhatsApp fetches it and takes an image from the Google Map service, the thumbnail is then shared as the message icon. In this phase the user’s location is exposed because WhatsApp downloads the image through an unencrypted channel from Google allowing an attacker to capture it with a Man-in-the-middle attack.

Below the video Proof of Concept:

We were not able to intercept the image until the message was sent from the phone, indicating that the download of the image did not occur until the message was actually sent.” researcher said.

In order to perform the MITM attack, the bad actor must be in the same network, this means the attacker must be around its victim, probably already knowing his location but if an attacker is able to conduct a MITM attack on a large scale, the scenario changes.

 “such short-range dependency makes this vulnerability of very low severity level for normal attackers, but spy agencies like NSA or GCHQ, those are capable to perform large scale MITM attacks, could exploit this flaw to trace users’ locationnation-wide.” explained in a comment by Mohit Kumar.

The researchers have promptly reported the vulnerability to WhatsApp which has fixed it in the latest beta version available on company official website, soon the fix will be deployed also for the official release.

Waiting for the fix, it is suggested to avoid sharing location using WhatsApp when connected to an un-trusted network.

Pierluigi Paganini

(Security Affairs –  WhatsApp, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.