Jared Kushner-WhatsApp doesn’t have the best record

Jared Kushner-WhatsApp  doesn't have the best record | October 28, 2019

Just 1 a month ago, on February 21, 2019, a WhatsApp vulnerability found on iPhone. It wasn’t a smal bug, it was a very serious security risk, Whats APP has had a terrible history. One problem after another.

If Jared Kushner is using Whats APP around the Globe since getting his Top Secret Security, is this a National Security Risk?

In my opinion, it’s grounds for immediate loss of

A security flaw has been found in the biometric analysis function of the messaging service

Network security and ethical hacking specialists from the International Institute of Cyber Security report the finding of vulnerability in one of the recently added privacy features to the WhatsApp messaging service.

WhatsApp enabled biometric recognition to access the application with the purpose of protecting the sensitive content for users when the phone is unlocked.

A user can access WhatsApp from the iOS Share Sheet without having to go through biometric identification.

In the biometric lock, there are options on when to lock. There is an immediate and time interval. If {immediate} is selected, it’s ok, but if {time interval, 1 min 5 min}, is selected, Share Sheet resets the timer, and anyone could access the app without verifying its identity.

Example:

  • Access iOS Share Sheet through the photo app, for example
  • Click on the WhatsApp icon in iOS Share Sheet
  • During the transition to the next screen, note that the FaceID or TouchID check is not performed if a different option was set to “immediately” in advance. Now just go to the IOS home screen
  • Try to open WhatsApp and ready, you can access WhatsApp without taking biometric identification (either by facial recognition or fingerprints)
  • Facebook Network security teams, the proprietary company of WhatsApp, claim that they have already identified the vulnerability; the social network ensures that a correction will be implemented as soon as possible.

Facebook, is the parent company of WhatsApp

March-2017

Check Point Discloses Vulnerability that Potentially Allows Hackers to Take over Hundreds of Millions of WhatsApp & Telegram Accounts

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code.

The file can be modified to contain attractive content to raise the chances a user will open it. In WhatsApp, once the user clicks to open the image, the malicious file allows the attacker to access the local storage, where user data is stored. In Telegram, the user should click again to open a new tab, in order for the attacker to access local storage. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp and Telegram networks.

Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent.

Check Point disclosed this information to WhatsApp’s and Telegram’s security teams on March 7th. Both companies have verified and acknowledged the security issue and developed a fix for web clients worldwide soon after. “Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu. WhatsApp and Telegram web users wishing to ensure that they are using the latest version are advised to restart their browser.

October 2018

Hijacked WhatsApp accounts traced back to voicemail hacking

Israeli government authorities warn users about new method of hijacking WhatsApp accounts

The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers’ voicemail systems.

This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath.

The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don’t change that account’s default password, which in most cases tends to be either 0000 or 1234.

The possibility of an account takeover happens when an attacker tries to add a legitimate user’s phone number to a new WhatsApp app installation on his own phone.

Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

After several failed attempts to validate the one-time code sent via SMS, the WhatsApp service would then prompt the user to perform a “voice verification,” during which the WhatsApp service would call the user’s phone and speak the one-time verification code out loud.

If the attacker has timed his/her attack at the proper time and the user can’t or won’t answer his phone, that message would eventually land in the victim’s voicemail account.

Since most mobile telco providers allow remote access to any customer’s voicemail account, all the hacker has to do is to enter the victim’s correct PIN, recover the spoken one-time code, and enter it inside his version of the WhatsApp app. This links the real user’s phone number with the hacker’s device, and effectively hijacks the account from the legitimate owner.

Once the hacker has gained access to the WhatsApp account, he/she can enable two-step verification, which would prevent the legitimate owner from re-taking control over his WhatsApp account without a six-digit number only the attacker knows.

The technique doesn’t require any technical skills and equipment to perform, and according to Israeli authorities, has been massively used in recent weeks, leading to numerous reports of hijacked accounts. (ZDNET.COM, By Catalin Cimpanu for Zero Day)

This is just a few of the vulnerabilities that WhatsApp has encountered since Jared Kushner has has top secret clearance.

Donald Trump, doesn’t adhere to White House Electronic Device & Communication Security standards. I think this is a National Security disaster. I don’t blame jared Kushner or Donald Trump

This just another case, where law, legislation, policies, & standards can’t keep up with technology.

United States of America September 2018 NATIONAL CYBER STRATEGY

UNITED-STATES-2018-National-Cyber-Strategy