Everybody knows WhatsApp
, as its official website says: WhatsApp Messenger
is a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS
. WhatsApp Messenger
is available for iPhone, BlackBerry, Android, Windows Phone and Nokia
and yes, those phones can all message each other! Because WhatsApp Messenger
uses the same internet data plan that you use for email and web browsing, there is no cost to message and stay in touch with your friends.
So, this is the target of the advisory, let's see a strange behaviour of WhatsApp
when a message is sent in a conversation and it contains a link.
While talking with people about this issue, it resulted that Luis Delgado
was analyzing the same behavior of WhatsApp
, so we decided to write this paper and extend our research together.
We will publish another paper with a deeper technical analysis and more tests performed.
It seems that, when auto-download of media is enabled, WhatsApp
auto-follows any link appeared in a conversation without user interaction - there is no need to open the chat windows nor the application itself -. It occurs in both directions, whether the link is sent or received.
This is what WhatsApp
does. Suppose that we send the following link:
The expected behaviour is to make nothing, since it's just a text without Image or Video attached, nothing should happen if no one is clicking the link. But this is actually not like this.
This is what really happens. If we look at the server side and analyze the log file, this is what it actually shows:
# tail -f foosec_access.log -n0
188.8.131.52 - - [01/Nov/2013:00:47:36 +0100] "GET / HTTP/1.1" 200 1056 "-" "Dalvik/1.6.0 (Linux; U; Android 4.1.2; GT-I9300 Build/JZO54K)"
As you may notice, this is not a current User-Agent
of mobile browsers. Also in this case only one of the mobiles has the required options enabled, this is why only one IP address appears. In addition, the User-Agent
from one device, as expected, is the same whether the link is sent or received.
This is not a critical issue but still can be used by attackers, notice that there is no human interaction. In fact, this strange behaviour of WhatsApp may be used to get information from the device
(just look at the previous log
- IP address (Geolocalization + ISP Company + ... )
- Mobile model
- OS Version
On the other hand, it is possible to provoke an abnormal bandwidth consumption
by sending links with data because the device automatically connects and downloads the link. Which may provoke an extra payment in some countries and ISPs.
Finally, when the downloaded data bypass the max-amount of allowed memory, an exception is thrown provoking a DoS on the application
. Since it makes WhatsApp
to run out of memory, it causes a crash on the application:
- Only works in >=3G networks
- It seems to work in any WhatsApp version.
- It seems to work in any Android version.
- Follow redirects 6 times at most
- It doesn't seems to work in Iphone devices
- No Cookie sent in request, although it's already set.
- WhatsApp version prior to 2.11.134
has provided an update for the application, version 2.11.134
, which fixes this behaviour. It is available in the following link:
On the other hand, in order to prevent this behaviour without updating the current version, all auto-downloads from WhatsApp
settings must be disabled. The following image shows how to access to the menu step-by-step from the settings
menu of the application:
You have to be sure that any option from these three scenarios (3G, wifi, traveling) is set - traveling
is disabled by default, so:
Notice that following the above instructions WhatsApp
will never connect automatically and it will never auto-download any attached media as well.
- 01-Nov-2013 Sent email to WhatsApp support asking for security email
- 01-Nov-2013 First auto-generated email response (ticket received and opened)
- 05-Nov-2013 Second auto-generated email response (general information)
- 05-Nov-2013 Sent email insisting in how to provide technical details about security issues
- 06-Nov-2013 Support email is OK for technical details
- 06-Nov-2013 Sent technical details to vendor
- 11-Nov-2013 No response from WhatsApp, so another email is sent asking for reply
- 12-Nov-2013 Response asking doubts about the DoS, security@whatsapp existence notified
- 12-Nov-2013 Step by step reproduction sent to WhatsApp support and security contacts
- 14-Nov-2013 No response from WhatsApp, so another email is sent asking for reply
- 14-Nov-2013 They cannot reproduce the behaviour with the last WhatsApp version
- 14-Nov-2013 Last version checked and it was fixed, so we published this paper