WhatsApp Security Woes; Hardcoded AES Key Used For Message Storage

It seems security is still an issue with WhatsApp. Previously, it was a vulnerability that allowed users to remotely change status names on other accounts simply by entering the mobile phone number tied to their account.

The newest issue has to do with the message storage database that WhatsApp uses to keep a log of incoming and outgoing messages. While the SQLite database is stored in a directory that is only accessible through jailbreaking or rooting a device, and the database is encrypted using AES-192, it’s unfortunately crypted with a hard-coded and static key.

The entire contents of the database can be decrypted using the known key. The database, which is stored in /com.whatsapp/databases/msgstore.db on Android phones and ~/Documents/ChatStorage.sqlite on iOS devices, can be decrypted by supplying the key and requesting that openssl revert the database to plaintext;

openssl enc -d  -aes-192-ecb -in msgstore-1.db.crypt -out msgstore.db.sqlite -K346a23652a46392b4d73257c67317e352e3372482177652c

In order to make it easier for decryption, an online portal was created for doing the deed. Of course you’ll need a jailbroken or rooted device in order to get the crypted database, then you can simply upload the file to http://www2.unsec.net/whatsapp/ and it will be decrypted.

Last time, it took WhatsApp just under a week to patch the hole. In order for them to fix this issue, an update to the client will be required, in order to add a new key – hopefully one that is generated using device-specific information or something the user can input to create a strong key, and then encrypt the database again.

UPDATE: As pointed out by a reader, the original research and analysis conducted on the database can be found in a PDF and there is also a WhatsApp Xtract application posted on XDA-Developers. Thanks Martina!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>