WhatsApp design flaw makes it easy to read along any chats of any people.

Discussion in 'Application Software' started by Yen, May 9, 2016.

  1. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,969
    10,542
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,668
    4,254
    150
    That's a huge step Yen,. it requires an open phone. People who leave their phones open and unattended in strange places need their head examined in the first place.
     
  3. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,706
    3,711
    180
    Someone managed to physically get a hold of, and use 7/9 peoples phones, which were left unlocked and unattended, in a public cafe/restaurant ?

    Source?

    If you physically get a hold of someones device, be it mobile, PC, laptop, or anything, and they are not locked, you can do pretty much what you like, nothing special about whatsapp
     
  4. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,947
    150
    So basically bypass any security prompts and get what you want.

    Any app on my phone is vulnerable to that.

    My fix is never leave my phone unattended and lock it when I'm not using it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. SOCRATE_MMXII

    SOCRATE_MMXII MDL Expert

    Jan 25, 2012
    1,034
    315
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,668
    4,254
    150
    :31: This issue has nothing to do with the device and more with the stupidity of the people using the device. So how does using another phone help the issue ?
     
  7. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,706
    3,711
    180
    #8 MrMagic, May 9, 2016
    Last edited: May 9, 2016
    I think he was joking :)

    --

    Back on topic: If you leave your car unlocked with the keys in the ignition, near someone looking to steal a car, guess what is likely to happen!

    Nothing wrong with the security of the car itself, just the fact it wasn't used, and was left open to bad guys
     
  8. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,314
    1,433
    180
    or good social engineering..

    "Hi how you doing. i work for (insert cell phone co here) and im doing a survey of users with whatsapp for a chance to win a new phone'
    all i need to do is add you to my contacts list and we will contact you if youre a chosen winner"

    :clap:
     
  9. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,668
    4,254
    150
    Yes that would get a lot of people, but they would probably just offer their phone number. How many would let you scan ?
     
  10. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,706
    3,711
    180
    As soon as someone asked to scan my phone, or take my number for a chance to "win" something, I'd tell them to jump

    Same as when even my own carrier cold calls me with the promise to save me money, GTFO, companies don't call people to lose money, or stop them paying that company as much, it's always in the companies favour, no matter what they tell you, somewhere down the line it will cost you more
     
  11. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,314
    1,433
    180
    part of it is to "take a pic of your phone maam.. to show who has the most need for it during winner selection"
     
  12. l33tissw00t

    l33tissw00t MDL Addicted

    Dec 6, 2012
    542
    315
    30
    web.whatsapp.com will only allow qr scanning if it detects user agent as non mobile (including tablet)
     
  13. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,947
    150
    That's trivially spoofed though I'm not sure how that works as a security feature.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,969
    10,542
    340
    #15 Yen, May 11, 2016
    Last edited: May 11, 2016
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,706
    3,711
    180
    #16 MrMagic, May 11, 2016
    Last edited: May 11, 2016
    I don't speak German or whatever that video is in, so.... lol

    Have no sympathy for people leaving their unlocked phones unattended in a public place, might as well just give some stranger all your details instead

    Would never hand over my phone to anyone, no matter how beautiful, if they needed help, I'd call for them
     
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,969
    10,542
    340
    Well, you know it best how many times you've borrowed your phone somebody already or if at all...or how many times you've left it unattended somewhere...

    It all depends on the will to have access ...and if it's just for 'proof of concept'...to impress friends
    One simply could 'steal' the phone and bring it back later...watching friends how many times they mislay their phones..quite easy....

    Either way a simple verification implemented and the design flaw would be gone...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,801
    44,947
    150
    On my app there is a list of signed in devices (though it's just browser, OS, and time), you can just force sign them out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,706
    3,711
    180
    Nobody gets my phone, I never leave it laying around if anyone else is here, and if I am out it stays in my pocket

    And it is locked

    This whole thing is the same as saying if you leave your front door unlocked, and money on the table, someone could come in and steal it

    Well, yea, lock your door, and don't leave money lying around for people to steal

    --
    If I leave my computer running, someone could read my emails, they could set up forwarding to another address, they could install a keylogger, enable remote access

    In all cases, the attacker has to have physical access, if they have physical access, that's your own fault
     
  19. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    4,668
    4,254
    150
    #20 R29k, May 11, 2016
    Last edited: May 11, 2016
    That's the issue and why I don't think this is a design flaw. The verification is access to your phone.
    If I decided to not put authentication on my phone then you can access What's App and do whatever you want. But you can also access the entire SD card, the phone book, all my messages on sms, emails, everything. So why not say it's a design flaw of those apps ?
    It's like saying if I don't put a lock on my front door and I have a drawer with no lock with money in it and someone steals it. What do I do blame the drawer and say that's a design flaw when the front door is always open ?