IB experts have found that WhatsApp passwords created by a user for two-factor authentication are stored on his device in an unencrypted form, which means that in theory they can be used for fraudulent purposes. It is known that this is not the first time when a messenger from Facebook is criticized for its security problems.
Two-factor authentication at WhatsApp wasn’t as secure as expected – the WABetainfo blog noticed that the user’s own password is stored in the device in unencrypted form.
The two-factor authentication feature, or “two-step verification” as it’s called in the messenger, is designed to help protect the user from outside intrusion, as attackers can intercept the secret code that’s sent to the user’s number. When the two-step scan is enabled, the owner of the device chooses a six-digit PIN that is requested each time the messenger confirms the identity of the account owner in addition to the code sent in the SMS message.
As IS experts found out, this PIN is stored unencrypted in the messenger’s sandbox, an area to which other applications do not have access by default.
However, there are a number of exceptions where it is still possible to access the sandbox and find out the user’s password.
For example, the vulnerable ones are iPhones with checkra1n jailbreak, to which an attacker must have physical access.
It is possible to find the PIN-code from Android gadgets, if the owner has root access rights, which provide him with a wide range of super-administrator capabilities.
One user, commenting on the WABetainfo find, said that this vulnerability “feels like Facebook style”. Indeed, Zuckerberg’s social network has had serious problems with the security of its users’ data for the past two years. “WhatsApp, owned by WhatsApp, has been repeatedly accused of negligence with regard to security mechanisms.