Saturday, 28 July 2012

WhatsApp Follow Up: Unauthenticated Upload

A bit more than two months ago I wrote a rather large post on the lack of security in WhatsApp. The conclusion of that post was that WhatsApp is insecure but they're working on it. Personally I'd never use it to send serious/secret/sensitive messages.

But not all the security vulnerabilities were explained in that post! There was one more, one that might be very severe. I also contact WhatsApp about this vulnerability and they said it would take some time to fix the issue. Considering that was more than two months ago they've had enough time to fix it. After explaining the problem we'll check if it's still present in the current version of WhatsApp.

The Problem

When using WhatsApp it's possible to send attachments to your contacts. The files you send to each other are saved on the server of WhatsApp so the recipient can download them at all times. Uploading is done by sending the following POST request over HTTPS:


Notice that no login details are required. For the example shown the file got uploaded to
https://mms303.whatsapp.net/d11/27/17/3/a/3a.html
which includes the original file name. In fact you can open the above file and see the html file. This means even though files get uploaded with a Content-Type of application/octet-stream they're still being treated as an ordinary HTML file once uploaded. This of course makes you wonder whats happens when sharing php files using WhatsApp. I tried uploading the same file as shown in the screenshot but now I named it 3a.php. The upload was successful and the file was saved at
https://mms303.whatsapp.net/d4/27/17/3/a/3a.php
but as you'll notice opening .php files is blocked with a 403 error message. Furthermore filenames such as index.php and .htaccess are blocked. So some protection seems to be included to avoid the user from uploading malicious files. Unfortunately I can't further test their server-side security since if I did that, I would be attacking their server and breaking the law.

So at first sight malicious files can't be uploaded. However only very minimal tests are possible without having permission of WhatsApp to test it in detail. But the fact is that it's not designed with security in mind.

Current Situation

After starting my Android emulator again (also after two months) and opening WhatsApp I was greeted with the message that my current version of WhatsApp was out of date. In fact it was so old that it simply couldn't connect to the WhatsApp servers. This seemed good. Maybe they also changed the upload process and it's now all authenticated and secure.

Unfortunately I got my hopes up too early - the bug wasn't fixed. The method outlined above still works and anyone can upload files. Considering this issue was reported more than two months ago I have decided to make it public in the hopes it will get fixed sooner.

WhatsApp could give every uploaded file a random filename. All downloaded files should be treated with a Content Type of application/octet-stream, which is currently not being done since the .html file could displayed in the browser. And of course only authentication users should be able to upload files!

Conclusion

As I've said before: watch you when using WhatsApp. Don't use it for any serious or important messages. Don't blindly trust incoming messages.

8 comments:

  1. Hi, how do you know which is the download url? Is there an automatic way to obtain the download url from the uploade file name?

    ReplyDelete
  2. After uploading the file the server will send back a reply in XML format. That reply contains the URL where the file is uploaded.

    ReplyDelete
  3. Ok, thank you very much. I have another questions. Do you know whether this form of uploading files is still enabled in Whatsapp server?

    ReplyDelete
  4. I don't know whether it still works. Just try it yourself and see what happens. The precise request is shown in the screenshot.

    ReplyDelete
    Replies
    1. I get the following message:


      ?xml version=\"1.0\" encoding=\"UTF-8\"?>
      \n!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\nplist version=\"1.0\">\ndict>\n\tkey>error/key>\n\tstring>exists/string>\n/dict>\n/plist>\n \n"

      Any idea about what it means? I am developing a whatsapp client for my WebOS device and I would like to include this feature.

      Delete
  5. Mariano Di Martino15 August 2012 at 19:21

    I never trusted that application...

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Thanks for taking this opportunity to discuss this; I appreciate with this and if you have some more information please share it with me.visit here

    ReplyDelete