
WhatsApp Message Hacked by John McAfee and Crew - TheSwordsman
http://cybersecurityventures.com/whatsapp-message-hacked-by-john-mcafee-and-crew/
======
felixrieseberg
This is probably the most sensational text I've read all weekend. Yes, Android
has security flaws (that have been previously covered in-depth).

The bar for "hacking WhatsApp" should be dramatically higher than installing
an app on the very device that decrypts the message. Heck, you could probably
just use the NotificationListenerService[0]. There, I hacked all messaging
apps that use notifications. I didn't even need "servers deep in the remote
mountains of Colorado".

[0]:
[https://developer.android.com/reference/android/service/noti...](https://developer.android.com/reference/android/service/notification/NotificationListenerService.html)

~~~
AndrewKemendo
See my other comment.

For governments (the groups that ostensibly WhatsApp cares about the most) and
"hackers" it is fairly trivial to get an install on both ends of a
communications chain - especially if the target/mark is high enough priority.
So that doesn't absolve them.

~~~
shenberg
WhatsApp stops you from getting caught in dragnets and requires someone to
explicitly target you, with an actual cost for the attacker - when the
malicious app is detected, the vulnerabilities it uses will be patched,
requiring new ones to be found or bought. The more people targeted, the
greater the odds of detection. So, while every single person is pretty much as
vulnerable as ever, as a population this is still a big improvement.

------
TheSwordsman
Reading through the post, it looks like WhatsApp wasn't broken. The attack
seemed to use a security vulnerability in Android.

~~~
AndrewKemendo
False distinction.

If I can use the carrier/hardware system to implement an attack, then the
entire system is not secure. As a result you can't claim that {system{sub-
system in question}} is secure because the system security is implied.

This is the whole point of defense in depth.

~~~
aaronbrethorst
I'd say it's a crucial distinction. It affects not just WhatsApp, but the mail
app, Messenger, SMS, Hangouts, etc.

~~~
AndrewKemendo
Very true. Which means it's an insecure platform. Which means any application
claiming security on it is insecure - and thus they shouldn't claim security.

------
StavrosK
Looks like they installed a keylogger on Android without root. WhatsApp has
absolutely _nothing_ to do with this, it might as well have been notepad. Yay
clickbait.

------
cisstrd
Why are they calling it WhatsUp on multiple occasions? Are those typos? (I am
not a Smartphone user, but I thought it was WhatsApp?!)

------
AndrewKemendo
People are commenting that this isn't really a hack because it exploited
Android, rather than WhatsApp.

That is exactly how exploits work in the wild, so the distinction is false. If
I can get the info I need through a side-channel, no matter what it is, it's
still a vulnerability. Full stop.

If it really is just an Android problem and doesn't carry over to iOS, then if
WhatsApp is truly dedicated to _security over everything_ , then they should
disable on Android until the vulnerability is fixed on the Android side.

Given that that course of action would kill the vast majority of WhatsApp's
base I don't foresee that happening.

edit: Also if you read the article again you'll see that the focus is on
Android/Google vulnerabilities - and they used WhatsApp to demonstrate it as
it's the widest distributed and used "secure" system on Android.

~~~
ams6110
Well they said SnapChat is vulnerable to the same attack.

As a developer you generally have to assume that the end-user devices are
trustworthy, since that is where you render the message into something the end
user can see/read/use. You can assume the network is hostile, and that the
sender may be hostile, but if your phone/PC is also hostile it's pretty much
game over.

Related -- never check your email or bank accounts on a public kiosk.

~~~
AndrewKemendo
_As a developer you generally have to assume that the end-user devices are
trustworthy_

Absolutely not. If you are designing for security, literally nothing in the
chain is assumed to be secure by default - including the BTS and carrier
networks.

As someone who has designed these systems I ALWAYS take the device security
into consideration, for this exact reason. As I mentioned elsewhere, the
defense in depth model covers this in detail.

[1]
[https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...](https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29)

------
buckyball
The opener photo says it all. Maybe we gonna see J. McAfee in a Hollywood
production soon, this guy for sure has enough stuff to fill a movie. jm2ct.

------
superkamiguru
when I think of WhatsApp being hacked, I expect a man in the middle attack.
Not an attack from both ends of the exchange...

------
SolarNet
Pretty sure this is just a stunt for his political campaign.

