
Where WhatsApp Went Wrong: EFF's Four Biggest Security Concerns - DiabloD3
https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wrong-effs-four-biggest-security-concerns
======
subliminalpanda
I've had to re-install WhatsApp because of a botched updated. I do not get an
option now to opt-out of Faecebook data sharing now. I wonder if my decision
prior to the update to opt-out persists with them.

------
Amir6
Very disappointing with many other (and arguably more important)
security/privacy issues that are left out of this report.

~~~
uph
A bit disappointing that you left them out of your comment as well.

~~~
Amir6
Here is a brief comment I made 20 days ago on the same issue:

[https://news.ycombinator.com/item?id=12559127](https://news.ycombinator.com/item?id=12559127)

Thanks for your interest and looking forward to have a discussion here with
other HNers

~~~
uph
> _What I can not comprehend is how respectable people and experts like
> Snowden and others from EFF can get behind a messenger that its
> authentication is based on cell phone numbers!_

Authentication isn't based on cell phone numbers, that's just the identifier.
See "verify security code" here:
[https://www.whatsapp.com/faq/en/general/28030015](https://www.whatsapp.com/faq/en/general/28030015)
The problem, which EFF does mention is that "if your contact changes keys,
this fact is hidden away by default."

> _When an application sends all your contacts to its servers (whether they
> are hashed or not) and more importantly when your whole access depends on a
> none encrypted code sent via SMS_

Correct me if I'm wrong but it seems as if you think that someone who hijacks
your number will get access to some account where all your contacts are.
That's not the case. The problem here is the same as above.

> _and worst of all, your identifier can be tied to your real identity
> extremely easy, how can they call it secure at all?_ > _It is not all about
> E2E or how the crypto is designed or implemented, its also about your
> anonymity, your social graph and other pieces of information which are
> arguably more important not to give away!_

That doesn't make it insecure, it's just not anonymous. No one claims that it
is and it's not a goal
[https://www.whatsapp.com/faq/en/general/20971813](https://www.whatsapp.com/faq/en/general/20971813)

~~~
Amir6
On the first point: Account authentication (when you setup your account or
when you add a new device) is done via a non encrypted text message delivered
to you by the tel-co service. This method is extremely insecure as it has been
used by state and non-state sponsored hackers to hijack the account. IMHO the
only reason a messaging service uses and relies on phone number to identify
(and of course authenticate accounts) is to steal (that's how I see it) their
contacts and force them to use the service in order to grow their user base.
Such unethical and disturbing practice can not be endorsed by an organization
like EFF.

Regarding the second point, as mentioned above, my problem is with the support
EFF shows for such applications/corporations. If you are looking to avoid mass
surveillance, of course the ability to be anonymous is critical.

~~~
uph
> _On the first point: Account authentication (when you setup your account or
> when you add a new device) is done via a non encrypted text message
> delivered to you by the tel-co service. This method is extremely insecure as
> it has been used by state and non-state sponsored hackers to hijack the
> account._

Again, the problem here is that "if your contact changes keys, this fact is
hidden away by default." If WhatsApp did that by default, like Signal, then
you would know that the key had changed.

> _IMHO the only reason a messaging service uses and relies on phone number to
> identify (and of course authenticate accounts) is to steal (that 's how I
> see it) their contacts and force them to use the service in order to grow
> their user base. Such unethical and disturbing practice can not be endorsed
> by an organization like EFF._

The phone number is used for contact discovery. You're not forced to do
anything. For most people when they download a messenger they want to use it
to talk to other people and they don't find it disturbing or unethical when
that's possible.

[https://whispersystems.org/blog/contact-
discovery/](https://whispersystems.org/blog/contact-discovery/)

> _If you are looking to avoid mass surveillance, of course the ability to be
> anonymous is critical._

Luckily it's possible to use more than one app. I'm ok with my friends knowing
who I am. This app makes it easy to find your friends. If you want to talk to
people you don't know without them knowing who you are, there are other apps.
That's not the purpose of this one. It doesn't make it bad, it doesn't make it
insecure, it just means it's not for you.

~~~
Amir6
1) Again I'm not talking about verification of whoever is on the other side of
the conversation, its about hijacking the account (whether by breaking into
the Tel-Co system or having access to it using a court order). There are other
means to verify the person you are talking to (signing a message in the
beginning of conversation using another app or software) but if all that it
takes for someone to have access to my account is to get a copy of that text
(containing authentication code) I'm not sure if anyone can call this secure.
IMO this security flaw is far more important than having E2E. I hope I was
able to differentiate between authentication and verification.

2) If you are using this app, you are forced to give up a copy of all you
contacts and also the app is scanning for new contacts several times every
hour! If this was an opt in option, I wouldn't have any issues with it. Some
people might favor convenience over security as is their right but forcing a
social graph of all your friends (almost in all cases without even a simple
warning) out of you because you simply want to use the service is frankly
disturbing.

3) Unluckily, there are no apps that have such strong E2E standard while
implementing the points I raised.

What I'm more concerned about is EFF's bar to endorse a platform with such bug
flaws.

~~~
uph
> _1) Again I 'm not talking about verification of whoever is on the other
> side of the conversation, its about hijacking the account (whether by
> breaking into the Tel-Co system or having access to it using a court order).
> _

What do you imagine happens when someone hijacks "the account"? They don't get
access to your past conversations, they don't get access to your contacts. All
that happens is that they can impersonate you, which your friends will notice
when they are notified that the key changed.

> _If you are using this app, you are forced to give up a copy of all you
> contacts and also the app is scanning for new contacts several times every
> hour!_

I'm pretty sure it asks you and you have to give it permission. And again,
most people WANT to find their contacts. What's the point of having a
messenger and no one to send your messages to?

> _If this was an opt in option_

It is opt-in, no one is forcing you to use WhatsApp. It's not like people
don't know that they will be able to contact their friends through WhatsApp
and are shocked and dismayed when they find out that's the case. You do
realize not __every __app in existence has to follow your requirements right?
You 're free to use something that __does __, but the reason the majority use
WhatsApp is that it __doesn 't __. That 's not a bug, it's a design choice
that you happen to disagree with.

