Notifications
Clear all

Whatsapp backdoor  

Page 1 / 2
  RSS
droopy
(@droopy)
Active Member

As i state in this forum 8 months ago, Whatsapp has a BACKDOOR
http//thehackernews.com/2017/01/whatsapp-encryption-backdoor.html

Not only this application but also Telegram , Signal and almost ALL "secure" chats.

I told this info 8 months ago (HERE IN THIS FORUM), and now is public.
Whatsapp Source Code (by reversing it) could be offered )

Droopy

Quote
Posted : 13/01/2017 11:13 pm
jaclaz
(@jaclaz)
Community Legend

As i state in this forum 8 months ago, Whatsapp has a BACKDOOR
http//thehackernews.com/2017/01/whatsapp-encryption-backdoor.html

Not only this application but also Telegram , Signal and almost ALL "secure" chats.

I told this info 8 months ago (HERE IN THIS FORUM), and now is public.
Whatsapp Source Code (by reversing it) could be offered )

Droopy

Actually the article says that it is specific to Whatsapp implementation (and not to Signal), and points to the finding by Tobias Boelter which is dated April 16, 2016
https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/

thehackernews seemingly found it only today, (after The Guardian "discovered" it).

And this is anyway a completely different one from the one(s) that you claimed in May 2016
http//www.forensicfocus.com/Forums/viewtopic/t=14178/

jaclaz

ReplyQuote
Posted : 14/01/2017 12:36 am
droopy
(@droopy)
Active Member

This is an old bug, i discover another on December 2015, and sell the exploit to a goverment that uses to monitor whatsapp.

By auditing the code you could find many others.

Signal implement a FAKE zrtp, no key continuity, which means I could create a new key on each call and make a MITM. Thats how i intercept signal messages now for a goverment.

Telegram is hacked by Russia FSB, google it for 1 year aprox. It is public, just use Google Search Engine

ReplyQuote
Posted : 14/01/2017 5:02 am
randomaccess
(@randomaccess)
Active Member

I told this info 8 months ago (HERE IN THIS FORUM), and now is public.
Whatsapp Source Code (by reversing it) could be offered )

Did you notify whatsapp/facebook?

ReplyQuote
Posted : 14/01/2017 7:02 am
droopy
(@droopy)
Active Member

No, i discover bugs and exploits for goverment only.
Even some bugs are put ON PURPOSE on the code for the backdoor, even if you inform them, they will not solve it.

Like Silent Circle backdoor product that adds on purpose a buffer overflow code on the source code "just in case" you need to monitor someone )

Many of these exploits are ON PURPOSE added on code.

ReplyQuote
Posted : 14/01/2017 6:29 pm
jaclaz
(@jaclaz)
Community Legend

It is very possible that both whatsapp and signal (and everything else) have backdoors and can be intercepted/whatever.

It is also possible that you actually know about these vulnerabilities.

What is a little more difficult to believe is that you are the only one that knows about them, that governments buy software from you and that you are here spreading the "news" about the insecurity of those programs.

I mean, you have this wonderful piece of software that can intercept messages on a platform, you make money out of it, your clients are governments (that usually have a fancy for keeping these kinds of things secret) and you go around telling everyone (besides how smart you are) that people should NOT use that platform because it is insecure? 😯

It sounds like you are undermining your own market. ?

And now - just for the record - the Whisper Systems' take on the matter
https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/

jaclaz

ReplyQuote
Posted : 14/01/2017 6:55 pm
Chris_Ed
(@chris_ed)
Active Member

And now - just for the record - the Whisper Systems' take on the matter
https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/

jaclaz

To summarize this; moxie states that every time a key is changed then the user on the other side is informed. They considered whether to just inform the user or stop all messages, but decided that as WhatsApp is a gigantic entity just to inform the user is enough. This is an optional feature but it exists non-the-less. It is not a "back door".

Furthermore, historic messages cannot be decrypted in this way. If A is talking to B and dude C intercepts the chat, C cannot decrypt historic messages from A without asking them to be specifically re-sent.

—————–

Anyone can see a reported vulnerability and say "see guys? I WAS RIGHT" but it proves nothing. Furthermore, Whisper Systems make their encryption protocol available to everyone, so it's not like it's a gigantic secret how these things are implemented.

ReplyQuote
Posted : 16/01/2017 1:51 pm
jaclaz
(@jaclaz)
Community Legend

To summarize this; …

I would summarize it differently, with a timeline 😯
16 April 2016 Tobias Boelter, a security researcher, discovered a supposed vulnerability (not in the actual software but rather in the way a particular issue is managed in it) publishing on his blog and stating how the protocol itself is perfectly fine and notifying Facebook
15 May 2016 John McAfee states he can decrypt Whatsapp chats.
16 May 2016 droopy posts about existence of a WhatsApp backdoor
16 May 2016 It comes out how the supposed decryption by John McAfee is - maybe - another vulnerability in Android that may allow for malware to be installed on it (Google issue).
16 May 2016 Everyone tells droopy about the above
16 May 2016 droopy insists, posting about other (BTW well known) vulnerabilities that have nothing to do with WhatsApp, let alone Signal
31 May 2016 Facebook acknowledges the report by Tobias Boelter, stating how it is a known decision taken intentionally and that they are not going to change it for the moment

Fast forward
13 January 2017 The Guardian (namely Manisha Ganguly) "discovered" the post on Tobias Boelter's blog and published an article about a backdoor [1]
13 January 2017 The Hacker News (namely Mohit Kumar) "discovered" the article on the Guardian and re-posted the "news" [2]
13 January 2017 droopy posted about the article on The Hacker News, re-stating how WhatsApp AND Signal AND Telegram AND most chat apps have a backdoor and how he already posted this info 8 months earlier (actually only some apodictic statements about these apps being insecure and messages that can be decrypted)
14 January 2017 The Hacker News (namely Mohit Kumar) insisted on it
14-16 January 2017 Various members of forensic focus reported being very skeptical about the whole stuff and particularly about the specific "feature" discovered originally by Tobias Boelter being a "backdoor" of any kind.

News
15 January 2017 Tobias Boelter has posted a "A response to the denials from moxie and WhatsApp" (was "There is a WhatsApp Backdoor")
https://tobi.rocks/2017/01/there-is-a-whatsapp-backdoor/

16 january 2017 More apodictic statements by droopy with a reiterated offer to provide (I presume to Governement Agencies ONLY) reverese engineered source code of WhatsApp
Added a totally unrelated Master Thesis dated September 8, 2016 by a nice Czech Engineer that attempted to hack Telegram without success, but that still believes that it can be done

Finally, we have localized an exploitable vulnerability and drafted an attack scenario. We concluded that the Android application does not check the message identification numbers properly and that a Replay attack might be feasible. Although our primary scenario of the attack turned out not to be applicable, we have drafted an altered scenario which we believe would work. We have also reported our findings to the Telegram security team which accepted our remarks and agreed, to a certain degree, that this might be exploitable. Telegram promised to fix this issue in the next software release.

jaclaz

[1][2] Please note how both the articles, bad informed or lazy as they may be, clearly state how the issue (if any) is in WhatsApp and not in Signal.

ReplyQuote
Posted : 16/01/2017 3:07 pm
droopy
(@droopy)
Active Member

Thanks for the timeline.

Related to Signal software, just notice it DO NOT have key continuity, which is one of the strongest features of ZRTP protocol. Even webrtc do NOT have this, thats why WEBRTC protocol is 100% interceptable and EASY to capture.
So, Signal uses a WEAK implementation.
Moreover, it ask for your phone number, i could inject a remote exploit just by phone number. (Google NSO PEGASUS on iphone)

Extra Moxie server side is NOT public. You could capture and make MITM by adding a virtual proxy without user intervention. ZRTP will keep working, but instead of end to end, you split the streams in 2, and server handle it. Thats how you could capture it )

Remember this, encryption is 80% IMPLEMENTATION and 20% algorythm.
Moxie implementation is technically horrible, i have 4 exploits and bugs already detected and private.

Never trust on them.
Whatsapp source code by reversing to plain source code could be offered )

Bonus
Security Analysis of Telegram IM
https://www.susanka.eu/files/master-thesis-final.pdf
***some vulnerabilities and exploits are there )

ReplyQuote
Posted : 16/01/2017 5:15 pm
jaclaz
(@jaclaz)
Community Legend

Thanks for the timeline.

You are welcome )

Timeline
http//www.forensicfocus.com/Forums/viewtopic/p=6586905/#6586905

updated.

jaclaz

ReplyQuote
Posted : 16/01/2017 5:34 pm
RolfGutmann
(@rolfgutmann)
Community Legend

@droopy - your skills are outstanding and you deserve a high level of appreciation. Top of Class!

ReplyQuote
Posted : 16/01/2017 11:31 pm
jaclaz
(@jaclaz)
Community Legend

@droopy - your skills are outstanding and you deserve a high level of appreciation. Top of Class!

…. coincidentally, a few days ago someone else was particularly appreciated

http//press-release.levchinprize.com/

January 4, 2017

Moxie Marlinspike and Trevor Perrin are awarded their 2017 Levchin Prize for their development of the Signal protocol used to encrypt messages in communication systems. This protocol has been implemented into well known apps such as WhatsApp, Facebook Messenger, and Google Allo, encrypting the conversations of more than a billion people worldwide. The Signal protocol uses triple Diffie-Hellman, and a double ratchet mechanism to provide strong forward-secrecy. It is this massive deployment of an elegant encryption protocol for which Moxie and Trevor are awarded the Levchin prize.

Life stinks.

jaclaz

ReplyQuote
Posted : 17/01/2017 1:49 am
droopy
(@droopy)
Active Member

Prizes are marketing my friend.
Remember 2009 Nobel Prize to OBAMA (US President) and then he attack afganistan and kill millions of innocents )

ReplyQuote
Posted : 17/01/2017 4:56 pm
PaulSanderson
(@paulsanderson)
Senior Member

Prizes are marketing my friend.
Remember 2009 Nobel Prize to OBAMA (US President) and then he attack afganistan and kill millions of innocents )

I didn't realise he/they/us attacked Afghanistan I thought it was the Taliban that was attacked.

I also wasn't aware of Millions of civilian deaths - this research suggest a few 10's of thousands

http//watson.brown.edu/costsofwar/costs/human/civilians/afghan

Even Al Jazeera says it is thousands - and interestingly shows that a significant number are killed by the Afghan airforce

http//www.aljazeera.com/news/2016/07/afghanistan-surge-civilian-children-death-tolls-160725063051899.html

Either way it is still too many - although we do put an extraordinary amount of effort (and cost) into avoiding civilian casualties.

Never let the truth get in the way of a good story though Droopy )

ReplyQuote
Posted : 17/01/2017 5:21 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

I cannot believe noone posted a link to this

https://www.youtube.com/watch?v=n31fogbmQTg

I believe we need to add Falken's Maze and Mr. Potato Head to the timeline.

ReplyQuote
Posted : 18/01/2017 1:44 am
Page 1 / 2
Share: