Yet another security issue with WhatsApp

During the last week, I was playing with WhatsApp and I noticed a strange behavior under certain circumstances that may provoke a DoS attack against the application and information disclosure.

Everybody knows WhatsApp, as its official website says: WhatsApp Messenger is a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for iPhone, BlackBerry, Android, Windows Phone and Nokia and yes, those phones can all message each other! Because WhatsApp Messenger uses the same internet data plan that you use for email and web browsing, there is no cost to message and stay in touch with your friends.

So, this is the target of the advisory, let's see a strange behaviour of WhatsApp when a message is sent in a conversation and it contains a link.

Authors

While talking with people about this issue, it resulted that Luis Delgado was analyzing the same behavior of WhatsApp, so we decided to write this paper and extend our research together.
Ferran Pichel (@fpichel) :      foosec.com
Luis Delgado (@ldelgadoj) :  ldelgado.es
We will publish another paper with a deeper technical analysis and more tests performed.

The Issue

It seems that, when auto-download of media is enabled, WhatsApp auto-follows any link appeared in a conversation without user interaction - there is no need to open the chat windows nor the application itself -. It occurs in both directions, whether the link is sent or received.

This is what WhatsApp does. Suppose that we send the following link:


The expected behaviour is to make nothing, since it's just a text without Image or Video attached, nothing should happen if no one is clicking the link. But this is actually not like this.

This is what really happens. If we look at the server side and analyze the log file, this is what it actually shows: 
# tail -f foosec_access.log -n0
213.143.51.207 - - [01/Nov/2013:00:47:36 +0100] "GET / HTTP/1.1" 200 1056 "-" "Dalvik/1.6.0 (Linux; U; Android 4.1.2; GT-I9300 Build/JZO54K)"
As you may notice, this is not a current User-Agent of mobile browsers. Also in this case only one of the mobiles has the required options enabled, this is why only one IP address appears. In addition, the User-Agent from one device, as expected, is the same whether the link is sent or received.

Possibilities

This is not a critical issue but still can be used by attackers, notice that there is no human interaction. In fact, this strange behaviour of WhatsApp may be used to get information from the device (just look at the previous log file), including:

  • IP address (Geolocalization + ISP Company + ... )
  • Mobile model
  • OS Version
On the other hand, it is possible to provoke an abnormal bandwidth consumption by sending links with data because the device automatically connects and downloads the link. Which may provoke an extra payment in some countries and ISPs.

Finally, when the downloaded data bypass the max-amount of allowed memory, an exception is thrown provoking a DoS on the application. Since it makes WhatsApp to run out of memory, it causes a crash on the application:

Limitations

  • Only works in >=3G networks
  • It seems to work in any WhatsApp version.
  • It seems to work in any Android version.
  • Follow redirects 6 times at most
  • No Javascript interpretation (AFAIK)
  • It doesn't seems to work in Iphone devices
  • No Cookie sent in request, although it's already set.
  • WhatsApp version prior to 2.11.134

Mitigation

WhatsApp has provided an update for the application, version 2.11.134, which fixes this behaviour. It is available in the following link: 
http://www.whatsapp.com/android/market/WhatsApp.apk
On the other hand, in order to prevent this behaviour without updating the current version, all auto-downloads from WhatsApp settings must be disabled. The following image shows how to access to the menu step-by-step from the settings menu of the application:


You have to be sure that any option from these three scenarios (3G, wifi, traveling) is set - traveling is disabled by default, so:


Notice that following the above instructions WhatsApp will never connect automatically and it will never auto-download any attached media as well.

Timeline

  •   01-Nov-2013  Sent email to WhatsApp support asking for security email
  •   01-Nov-2013  First auto-generated email response (ticket received and opened)
  •   05-Nov-2013  Second auto-generated email response (general information)
  •   05-Nov-2013  Sent email insisting in how to provide technical details about security issues
  •   06-Nov-2013  Support email is OK for technical details
  •   06-Nov-2013  Sent technical details to vendor
  •   11-Nov-2013  No response from WhatsApp, so another email is sent asking for reply
  •   12-Nov-2013  Response asking doubts about the DoS, security@whatsapp existence notified
  •   12-Nov-2013  Step by step reproduction sent to WhatsApp support and security contacts
  •   14-Nov-2013  No response from WhatsApp, so another email is sent asking for reply
  •   14-Nov-2013  They cannot reproduce the behaviour with the last WhatsApp version
  •   14-Nov-2013  Last version checked and it was fixed, so we published this paper


EOF

.foo.