Claims that all encrypted instant messengers are vulnerable, and especially Whatsapp. The material caused a lot of noise, but is it really so sad? Internet security expert company Open Whisper Systems claims that nothing new was written in The Guardian and that they attacked WhatsApp in vain.
Last spring, Whatsapp released the biggest update in its history - the addition of a force end-to-end encryption feature, which essentially means that no one, including Whatsapp, can read your correspondence. Yesterday's investigation by The Guardian presents the opinion of an expert who claims that Whatsapp deliberately left a “backdoor” in its code for possible interception of messages by intelligence agencies and other interested parties. The Whatsapp developers themselves claim that this is not at all true, and that the potentially unsafe behavior of their application is nothing more than making life easier for their many users.
Whatsapp messaging security was developed with the help of Open Whisper Systems, the same company that developed the most secure messenger in the world - Signal, and in its blog the company describes in detail how everything works. WhatsApp has implemented the Signal protocol (and it has also been implemented in the recent Google Allo), which issues each user two security keys: a public key by which other users can identify him and a personal private key that will be assigned to the device. As people change their phones and apps frequently, your security keychain will change accordingly. Users can ensure the privacy of their communications within Whatsapp by checking the security code on each device participating in the conversation - if the codes match, this will mean that there is no interception of messages between the interlocutors (this type of attack is called man-in-the-middle, MITM).
The Guardian is based on an investigation by Tobias Belter. He claims that the Whatsapp server can be hacked based on requests from third parties. That is, WhatsApp can generate a new security key and issue it to these same third parties until users notice that something has happened. In the Signal app messenger, any substitution of the security key results in the inability to send a message and a security warning, and all this happens before the user is about to forward the message again and independently. In Whatsapp, the user receives a notification about a key change, and the message will be automatically recoded to the new key and sent to the recipient. That is, only then will you be able to find out whether the new key actually matches your recipient. Despite the fact that this warning setting in your Whatsapp still needs to be enabled manually:
Open Whisper Systems explains this behavior of Whatsapp by the ideological simplicity of using the messenger. Also, Whatsapp servers do not know who has enabled the warning setting and who has not - so a hacking attempt can be quickly detected. In any case, Whatsapp “lawyers” insist that such a security policy can be called whatever you like, but it is not a vulnerability or a backdoor. This is a “feature”.
Many Western security experts agree with Open Whisper Systems' findings:
Buried deep in the settings is the function of displaying active sessions from desktop computersIt’s ridiculous that this is presented as a backdoor. If you don’t verify keys, authenticity of keys is not guaranteed. Well known fact.
Frederic Jacobs (@FredericJacobs)
For Facebook, the owner of WhatsApp, the WhatsApp Web service is just an option; information security experts, however, see it as a threat. Through it, users can open the contents of all saved messages in a web browser, read any chat from there, and even send new messages.
However, this opportunity can become a trap: it is enough to leave an unlocked phone unattended in the workplace for a short time for an envious colleague to scan a special QR code on the website web.whatsapp.com with your device. To expose this kind of spying, open WhatsApp and go to Settings. Here select the line “WhatsApp Web/Desktop”. You will see a list of active connections. By clicking on the line “Log off all computers” you will end all sessions.
To protect yourself from such future snooping, turn on a screen lock on your phone. After this, you don’t have to be afraid that someone will quietly read the QR code on your computer with your device and gain access to your correspondence.
Soomz company (soomz.io) for about 600 rubles. offers a set of three covers per camera. With their help you will protect your device In addition, malware can also interfere with your WhatsApp. For example, it allows criminals to take pictures covertly. For protection, use a webcam cover.
This way you will be sure that no manipulations have been carried out with the program and that it will not immediately start sending the contents of messages to web spies.
Checking encryption keys
When the encryption keys are changed, the alarm starts ringing for the WhatsApp user. WhatsApp communications are end-to-end encrypted. The keys required for it are located directly on the devices. With the help of them, WhatsApp encodes information and sends it to the recipient.
Experts, however, have figured out a method to bypass such encryption. They simply change the key on the recipient's device and then read the message using a man-in-the-middle attack.
The messenger settings are to blame for the fact that the user has neither heard nor heard anything about this. Facebook puts comfort before security and does not notify about changes. However, it is possible to activate notifications about changing the key used. It's hidden in the settings.
To receive a notification about the lack of encryption, the corresponding function must be enabled in the settings To enable alerts, launch WhatsApp and go to Settings. From there, open “Account | Safety". Activate the "Show security notifications" option.
If the recipient's key then changes, you will know about it. However, such a change does not necessarily indicate an attack.
It is likely that the recipient simply linked a new phone to their WhatsApp account. And in this case, the encryption code will be different. When in doubt, the easiest way is to ask your interlocutor what happened.
WhatsApp is the most popular messenger today for free messaging between smartphone users. The program exists for various platforms: iOS, Android, Windows, Blackberry and even the now defunct Symbian. The program was created in 2009 by Jan Koum and Brian Acton. In 2014, it was bought by Facebook for $19 billion. But this is, so to speak, the background story. I will teach you how to read someone else's correspondence on WhatsApp for free without downloading third-party programs, as well as registration and without SMS))) The method is based on social engineering and does not use any third-party or malicious software.
Hack WhatsApp
In March 2014, programmer Bas Boschert published instructions for hacking WhatsApp correspondence. Its essence was that the program installed on an Android device stores a database of correspondence in clear text; later the creators encrypted this data, but it was also easy to decrypt. Considering the popularity of this program, there is no doubt that there will be many who want to gain access to the account and read other people’s correspondence.
Addition regarding enabling encryption in WhatsApp
In April 2016, Jan Koum announced that messages from all WhatsApp users, as well as group chats, are now encrypted using the " end-to-end encryption", i.e. messages and voice calls of users cannot be intercepted by third parties (hackers, criminals, security forces, intelligence, etc.) This is of course all great, but WhatsApp has gone the way of Telegram. I think the catalyst for this decision was the precedent with Apple, which the FBI forced iPhone hacking terrorists from San Bernardino.
A way to read someone else's correspondence, which is listed on this page is based on the method of social engineering and it does not matter here whether encryption is enabled in WhatsApp or not. Encryption protects against eavesdropping, but not when there is direct access to phone. Therefore, to protect your WhatsApp account from hacking, always set a password for it (for unlocking or for launching a specific application).
To enable encryption in WhatsApp you don't need to do anything special. Update your program to the latest version. In order for a conversation between two subscribers to be encrypted, both interlocutors must have the latest version of WhatsApp installed.
I wrote separately about encryption.
My instructions for hacking WhatsApp
This is not even WhatsApp hacking in its usual sense. Hacking involves the use of third-party programs, viruses, Trojans, etc. I'll just teach you how to read other people's correspondence. To do this, the developers themselves released such a function as a web version. With certain settings, it can be used for your own selfish purposes. Access to the victim's phone is required, at least for 30-60 seconds.
1. The first thing we need is to open our personal PC and go to the page https://web.whatsapp.com/ There must be a “stay logged in” checkbox.
2. The second is the phone, the correspondence from which you need to read. Open WhatsApp, go to the menu and select WhatsApp Web. It is in this place that you need those very 30-60 seconds during which you need to have time to scan the QR code on the computer screen with your smartphone camera. The code changes every minute, so there is little time to think about it.
3 On the computer, the same chats with correspondence open in the browser as on the phone. You can also send messages and read them in real time.
The victim, whose correspondence is now available for you to read, will not even know about it unless you tell about it yourself. If you go to the WhatsApp Web menu on your phone again, you will see that a session is open on your computer. I can say with confidence that this information will not tell 99% of users anything and no one will guess that someone else is reading his correspondence.
Important! Access to your WhatsApp account, and therefore reading correspondence, is only possible when the smartphone itself is connected to the Internet. If it is offline, there is no synchronization between your phone and computer.
This information was written by me purely for informational purposes. Take care of your phones or put a password on them, like I do.
To protect your Android smartphone from hacking, which is described above, I recommend installing . With its help, you can set a password to launch any application; WhatsApp, for example, will not start until you enter the correct password.
How to start a WhatsApp Web session on your phone
Good news, comrades! Finally, it is possible to launch a WhatsApp Web session on your phone. If earlier, when you tried to open the code scanning page in a mobile browser, you were automatically thrown into the application, but now it is possible to bypass this limitation. How?
Download the application called Whatscan for Whatsweb from PlayMarket or AppStore. Launch it and you will see the usual window for scanning the QR code. The application takes on the role of a browser on a computer. By scanning this code from the “victim’s” phone, you will be able to read her messages without being tied to a computer, i.e. directly from the screen of your smartphone.
How well the application works, write in the reviews. For now, this is the only way to read another person’s WhatsApp messages from your phone.
How to find out passwords for email and pages on social networks VK and OK.
If you want to go even further and find out other people’s passwords for VKontakte, Odnoklassniki, mail accounts, etc. look . The method is 100% working and tested. We read carefully and strictly follow the instructions. We ask questions ONLY after reading.
Checking cheating using GetContact
The new GetContact app at the end of February is literally “. By installing a small program on your phone, you can search for information about unknown numbers from a common database, which is replenished by users like you. The original idea of the program was to fight spam. But if in analogues users themselves mark this or that number as spam, GetContact, without asking, pumps out the ENTIRE phone book into a common database that EVERYONE can see. When you enter a number, you see how it is written in different people’s phone books. For example like this:
But what if a man is registered under a woman's name? Or is the woman registered as a man? A reason to think. Find out how to remove yourself from the GetContact database.
Recently, WhatsApp has become one of the most popular instant messengers not only in Russia, but throughout the world. Using it, it is convenient to conduct correspondence, transfer data, and make calls. And of course, any user wants to be sure that no one will be able to listen to his calls, read his correspondence, and files will be available only to him and the interlocutor. That is why you should not lose sight of such a parameter as security.
WhatsApp security level. Information security
First of all, security is the confidentiality, availability and integrity of information. Development company should provide confidence to its users that all three of these security parameters are functioning at the proper level.
WhatsApp has a very rich history in terms of security. Several years ago it turned out that initially, when the application was first released, WhatsApp security was achieved only by hashing the password using the MD5 algorithm. Those. an attacker could easily obtain the user's password with almost no effort. The developers decided to correct their reputation by collaborating with cryptographic by Open Whisper Systems.
Currently, WhatsApp uses secure data encryption technology, so-called end-to-end encryption. For those who don’t know what it is, let’s try to explain it in simple words.
Let's imagine that there are two users Dima and Kolya. Both Dima and Kolya have two keys generated. The first key (public) is intended for encrypting messages, and the second (private) is for the reverse process - decryption. Accordingly, the public key is in the public domain, that is, absolutely any user can view it, but only the owner of the private key can decrypt it. Thus, having generated a pair of keys, Dima and Kolya begin secure communication, since only the author of the message and its recipient have the decryption key. 
However, despite the fact that WhatsApp security is provided through end-to-end encryption, WhatsApp security is not quite up to par. For example, WhatsApp is not protected from Dos attacks, but in a slightly unique way. WhatsApp developers have limited message size to 6600 characters. But if the message contains 4400 emoticons, the WhatsApp application will crash due to a buffer overflow. The only way to get rid of this problem at the moment is to delete correspondence with such a sender. It should be noted that WhatsApp security on iOS cannot be undermined by such an attack.
Much recently, on March 15, 2017, it became known about such a vulnerability, using which attackers could seize full power over an account used via WhatsApp Web. Since WhatsApp allows you to send various types of data, the malicious code was disguised as a regular picture, by clicking on which the attacker gains access to the user’s content. This vulnerability was relevant not only for WhatsApp, but also for Telegram. The new update helped eliminate this bug. 
Another interesting fact. As an iOS information security specialist found out, erased chat history can be restored, since WhatsApp does not completely delete the history. This is due to the fact that the messenger uses a SQLite database (DB) to store correspondence. And when the user tries to delete the selected messages, they are not deleted, but moved to the so-called free list. Those. WhatsApp subsequently overwrites these messages with new ones. But the peculiarity is that some messages can wait for their turn for a single month before completely disappearing.
iOS users need to be more careful. WhatsApp security poses additional risks for them. If an iOS platform user creates a backup of WhatsApp conversations, the SQLite database saves the unencrypted message history to Apple servers. An iOS information security specialist recommends periodically deleting WhatsApp from the device in order to reset the database, and also, if possible, not using icloud backups.
Another vulnerability is also known. WhatsApp can generate new key pairs if the user has not been online for a long time and does not notify the participants of the correspondence about the incident. This means that if a subscriber sends a message to a user who has not been online for a long time, or has deleted the application from the phone, the message may be lost, i.e. not reach the final recipient.
But half of this defect can still be corrected.
So why does this option only half correct the situation? The fact is that WhatsApp does not support resending messages, but it can warn the sender that the encryption key has been updated.
Whatsapp password
Sometimes you have to hide your correspondence from prying eyes. The method described below, of course, will not save your data from professional hackers, but it is quite possible for your phone to fall into the hands of those who might get their hands on it.
The ChatLock application allows you to set a password for any messenger, including WhatsApp.
Now, after each attempt to log into WhatApp, the system will ask the user for a password. If the attempt is unsuccessful, the login will not be completed.
To sum up, it cannot be said that security on WhatsApp is at the proper level. Like any other messenger, WatsApp has its drawbacks. But knowing exactly what vulnerabilities there are in the application, you can protect yourself from many unpleasant situations.
