Notifications
Clear all

Whatsapp backdoor

20 Posts
8 Users
0 Likes
1,554 Views
(@droopy)
Posts: 136
Estimable Member
Topic starter
 

As i state in this forum 8 months ago, Whatsapp has a BACKDOOR
http//thehackernews.com/2017/01/whatsapp-encryption-backdoor.html

Not only this application but also Telegram , Signal and almost ALL "secure" chats.

I told this info 8 months ago (HERE IN THIS FORUM), and now is public.
Whatsapp Source Code (by reversing it) could be offered )

Droopy

 
Posted : 13/01/2017 11:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As i state in this forum 8 months ago, Whatsapp has a BACKDOOR
http//thehackernews.com/2017/01/whatsapp-encryption-backdoor.html

Not only this application but also Telegram , Signal and almost ALL "secure" chats.

I told this info 8 months ago (HERE IN THIS FORUM), and now is public.
Whatsapp Source Code (by reversing it) could be offered )

Droopy

Actually the article says that it is specific to Whatsapp implementation (and not to Signal), and points to the finding by Tobias Boelter which is dated April 16, 2016
https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/

thehackernews seemingly found it only today, (after The Guardian "discovered" it).

And this is anyway a completely different one from the one(s) that you claimed in May 2016
http//www.forensicfocus.com/Forums/viewtopic/t=14178/

jaclaz

 
Posted : 14/01/2017 12:36 am
(@droopy)
Posts: 136
Estimable Member
Topic starter
 

This is an old bug, i discover another on December 2015, and sell the exploit to a goverment that uses to monitor whatsapp.

By auditing the code you could find many others.

Signal implement a FAKE zrtp, no key continuity, which means I could create a new key on each call and make a MITM. Thats how i intercept signal messages now for a goverment.

Telegram is hacked by Russia FSB, google it for 1 year aprox. It is public, just use Google Search Engine

 
Posted : 14/01/2017 5:02 am
(@randomaccess)
Posts: 385
Reputable Member
 

I told this info 8 months ago (HERE IN THIS FORUM), and now is public.
Whatsapp Source Code (by reversing it) could be offered )

Did you notify whatsapp/facebook?

 
Posted : 14/01/2017 7:02 am
(@droopy)
Posts: 136
Estimable Member
Topic starter
 

No, i discover bugs and exploits for goverment only.
Even some bugs are put ON PURPOSE on the code for the backdoor, even if you inform them, they will not solve it.

Like Silent Circle backdoor product that adds on purpose a buffer overflow code on the source code "just in case" you need to monitor someone )

Many of these exploits are ON PURPOSE added on code.

 
Posted : 14/01/2017 6:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It is very possible that both whatsapp and signal (and everything else) have backdoors and can be intercepted/whatever.

It is also possible that you actually know about these vulnerabilities.

What is a little more difficult to believe is that you are the only one that knows about them, that governments buy software from you and that you are here spreading the "news" about the insecurity of those programs.

I mean, you have this wonderful piece of software that can intercept messages on a platform, you make money out of it, your clients are governments (that usually have a fancy for keeping these kinds of things secret) and you go around telling everyone (besides how smart you are) that people should NOT use that platform because it is insecure? 😯

It sounds like you are undermining your own market. ?

And now - just for the record - the Whisper Systems' take on the matter
https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/

jaclaz

 
Posted : 14/01/2017 6:55 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

And now - just for the record - the Whisper Systems' take on the matter
https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/

jaclaz

To summarize this; moxie states that every time a key is changed then the user on the other side is informed. They considered whether to just inform the user or stop all messages, but decided that as WhatsApp is a gigantic entity just to inform the user is enough. This is an optional feature but it exists non-the-less. It is not a "back door".

Furthermore, historic messages cannot be decrypted in this way. If A is talking to B and dude C intercepts the chat, C cannot decrypt historic messages from A without asking them to be specifically re-sent.

—————–

Anyone can see a reported vulnerability and say "see guys? I WAS RIGHT" but it proves nothing. Furthermore, Whisper Systems make their encryption protocol available to everyone, so it's not like it's a gigantic secret how these things are implemented.

 
Posted : 16/01/2017 1:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To summarize this; …

I would summarize it differently, with a timeline 😯
16 April 2016 Tobias Boelter, a security researcher, discovered a supposed vulnerability (not in the actual software but rather in the way a particular issue is managed in it) publishing on his blog and stating how the protocol itself is perfectly fine and notifying Facebook
15 May 2016 John McAfee states he can decrypt Whatsapp chats.
16 May 2016 droopy posts about existence of a WhatsApp backdoor
16 May 2016 It comes out how the supposed decryption by John McAfee is - maybe - another vulnerability in Android that may allow for malware to be installed on it (Google issue).
16 May 2016 Everyone tells droopy about the above
16 May 2016 droopy insists, posting about other (BTW well known) vulnerabilities that have nothing to do with WhatsApp, let alone Signal
31 May 2016 Facebook acknowledges the report by Tobias Boelter, stating how it is a known decision taken intentionally and that they are not going to change it for the moment

Fast forward
13 January 2017 The Guardian (namely Manisha Ganguly) "discovered" the post on Tobias Boelter's blog and published an article about a backdoor [1]
13 January 2017 The Hacker News (namely Mohit Kumar) "discovered" the article on the Guardian and re-posted the "news" [2]
13 January 2017 droopy posted about the article on The Hacker News, re-stating how WhatsApp AND Signal AND Telegram AND most chat apps have a backdoor and how he already posted this info 8 months earlier (actually only some apodictic statements about these apps being insecure and messages that can be decrypted)
14 January 2017 The Hacker News (namely Mohit Kumar) insisted on it
14-16 January 2017 Various members of forensic focus reported being very skeptical about the whole stuff and particularly about the specific "feature" discovered originally by Tobias Boelter being a "backdoor" of any kind.

News
15 January 2017 Tobias Boelter has posted a "A response to the denials from moxie and WhatsApp" (was "There is a WhatsApp Backdoor")
https://tobi.rocks/2017/01/there-is-a-whatsapp-backdoor/

16 january 2017 More apodictic statements by droopy with a reiterated offer to provide (I presume to Governement Agencies ONLY) reverese engineered source code of WhatsApp
Added a totally unrelated Master Thesis dated September 8, 2016 by a nice Czech Engineer that attempted to hack Telegram without success, but that still believes that it can be done

Finally, we have localized an exploitable vulnerability and drafted an attack scenario. We concluded that the Android application does not check the message identification numbers properly and that a Replay attack might be feasible. Although our primary scenario of the attack turned out not to be applicable, we have drafted an altered scenario which we believe would work. We have also reported our findings to the Telegram security team which accepted our remarks and agreed, to a certain degree, that this might be exploitable. Telegram promised to fix this issue in the next software release.

jaclaz

[1][2] Please note how both the articles, bad informed or lazy as they may be, clearly state how the issue (if any) is in WhatsApp and not in Signal.

 
Posted : 16/01/2017 3:07 pm
(@droopy)
Posts: 136
Estimable Member
Topic starter
 

Thanks for the timeline.

Related to Signal software, just notice it DO NOT have key continuity, which is one of the strongest features of ZRTP protocol. Even webrtc do NOT have this, thats why WEBRTC protocol is 100% interceptable and EASY to capture.
So, Signal uses a WEAK implementation.
Moreover, it ask for your phone number, i could inject a remote exploit just by phone number. (Google NSO PEGASUS on iphone)

Extra Moxie server side is NOT public. You could capture and make MITM by adding a virtual proxy without user intervention. ZRTP will keep working, but instead of end to end, you split the streams in 2, and server handle it. Thats how you could capture it )

Remember this, encryption is 80% IMPLEMENTATION and 20% algorythm.
Moxie implementation is technically horrible, i have 4 exploits and bugs already detected and private.

Never trust on them.
Whatsapp source code by reversing to plain source code could be offered )

Bonus
Security Analysis of Telegram IM
https://www.susanka.eu/files/master-thesis-final.pdf
***some vulnerabilities and exploits are there )

 
Posted : 16/01/2017 5:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thanks for the timeline.

You are welcome )

Timeline
http//www.forensicfocus.com/Forums/viewtopic/p=6586905/#6586905

updated.

jaclaz

 
Posted : 16/01/2017 5:34 pm
Page 1 / 2
Share: