WhatsApp Faces New Challenge; Security Researcher Raises Possible Privacy Issue for Messaging Service

March 18, 2014 Leave a comment

WhatsApp Faces New Challenge

Security Researcher Raises Possible Privacy Issue for Messaging Service

REED ALBERGOTTI

Updated March 13, 2014 7:50 p.m. ET

A security researcher says he has discovered a potential privacy issue in text-messaging service WhatsApp that occurs when users switch phone numbers. WSJ’s Reed Albergotti joins digits.

A security researcher says he has discovered a potential privacy glitch in text-messaging service WhatsApp that occurs when users switch phone numbers.

Xuyang Li, founder of TrustGo Mobile Inc., says that when he downloaded WhatsApp, he inherited the account information of a woman named Jessica, the previous owner of Mr. Li’s phone number. Mr. Li’s WhatsApp messages appeared to recipients to be messages from Jessica—complete with a profile photo of Jessica wearing a red scarf.

WhatsApp was lauded for its simplicity when Facebook Inc. FB -2.89% agreed to acquire it last month for $19 billion. New WhatsApp users register only their phone numbers, and don’t create usernames or passwords. Mr. Li’s incident highlights how that simplicity might work against WhatsApp in this case.

To be sure, people who switch phone numbers often receive voice calls for the prior user of the number. The confusion may be amplified with messaging apps because information about users is stored on servers and can then be accidentally downloaded onto the phones of people who don’t own the accounts.

Flavio De Cristofaro, general manager of the Core Security Consulting Services offices in Buenos Aires, says mobile-app developers often focus on simplicity to attract as many users as possible, without adequately considering security issues. “There’s always a trade-off between security and usability,” he says.

Mr. Li’s revelation comes a few days after a different security consultant demonstrated on his website a way to read all the WhatsApp chats on an Android phone. In a written statement, WhatsApp said the report about the Android app wasn’t accurate and the risk “overstated.”

WhatsApp said the current version of its Android app prevents the chats from being downloaded in this way.

During registration, WhatsApp sends a new user a mobile SMS message with a verification code. It advises users to delete their accounts before they switch to a new number, or to transfer the account from their old number to the new one. But not all users follow those instructions.

When an account is inactive for 45 days, WhatsApp says it disconnects the account from the old phone number and deletes the user’s messages and profile information if the phone number is used on a new phone. But that safeguard doesn’t eliminate all possible issues. “That is why we encourage users to delete their accounts,” WhatsApp executive Neeraj Arora wrote in an email in response to The Wall Street Journal.

Mr. Li says WhatsApp could prevent identities from being switched with additional verification and security. He said he had emailed the company and its venture backers, but hadn’t received responses.

Mr. Li says the incident is a reminder that users should be vigilant about how their personal information is used by apps. “Users have to change their mind-sets from the PC world to the mobile world,” he said.

The risks of a user inheriting an old WhatsApp account are unclear. In the wrong hands, the information could be used to try to trick others into giving even more personal information about that person. WhatsApp says it doesn’t store old messages and it retains limited information about its users.

 

Filed under TMT Trends

Unknown's avatarAbout bambooinnovator
Kee Koon Boon (“KB”) is the co-founder and director of HERO Investment Management which provides specialized fund management and investment advisory services to the ARCHEA Asia HERO Innovators Fund (www.heroinnovator.com), the only Asian SMID-cap tech-focused fund in the industry. KB is an internationally featured investor rooted in the principles of value investing for over a decade as a fund manager and analyst in the Asian capital markets who started his career at a boutique hedge fund in Singapore where he was with the firm since 2002 and was also part of the core investment committee in significantly outperforming the index in the 10-year-plus-old flagship Asian fund. He was also the portfolio manager for Asia-Pacific equities at Korea’s largest mutual fund company. Prior to setting up the H.E.R.O. Innovators Fund, KB was the Chief Investment Officer & CEO of a Singapore Registered Fund Management Company (RFMC) where he is responsible for listed Asian equity investments. KB had taught accounting at the Singapore Management University (SMU) as a faculty member and also pioneered the 15-week course on Accounting Fraud in Asia as an official module at SMU. KB remains grateful and honored to be invited by Singapore’s financial regulator Monetary Authority of Singapore (MAS) to present to their top management team about implementing a world’s first fact-based forward-looking fraud detection framework to bring about benefits for the capital markets in Singapore and for the public and investment community. KB also served the community in sharing his insights in writing articles about value investing and corporate governance in the media that include Business Times, Straits Times, Jakarta Post, Manual of Ideas, Investopedia, TedXWallStreet. He had also presented in top investment, banking and finance conferences in America, Italy, Sydney, Cape Town, HK, China. He has trained CEOs, entrepreneurs, CFOs, management executives in business strategy & business model innovation in Singapore, HK and China.

Leave a comment