
Forget Encryption, WhatsApp Is Vulnerable to Phishing Attacks - mawalu
http://www.nextbigwhat.com/whatsapp-phishing-attacks-297/
======
daveloyall
I am not a WhatsApp user.

What are these QR codes and why does the author of this article say this?

    
    
        > What all can get stolen:
        > 
        > 1.Anything & everything that you have shared via WhatsApp, like
        >   bank details, passwords, private pics, personal messages, etc.
        > 
        > 2.Your entire contacts list
        > 
        > 3.Your complete chat data
        > 
        > 4.Your personal information
    

What's the legit use for these QR codes?

~~~
mawalu
Since whatsapp users do not register using something like username / password
the authentication is handled by the app using the sim card and ability to
recieve an sms on a given number.

When Whatsapp started whatsapp web, a web client for PC / Mac users, they
needed a way to authenticate the users there. This is where the QR code is
used. Once the user scans it using the app he authorizes the computer and some
tokens are stored in the browsers localStorage.

~~~
daveloyall
So when the user is tricked into scanning an arbitrary QR code, they are
authorizing the attacker's copy of WhatsApp (or whatever) as an additional
device tied to the users account, right?

That makes sense. Sounds like the solution is a warning message in the app.
"Do you really want to grant full account access to a new device or service
right now?"

