Comment by varenc

Comment by varenc 17 hours ago

10 replies

View on Hacker News

If this was happening en-masse, wouldn't this be discovered by the many people reverse engineering WhatsApp? Reverse engineering is hard sophisticated work, but given how popular WhatsApp is plenty of independent security researchers are doing it. I'm quite skeptical Meta could hide some malicious code in WhatsApp that's breaking the E2EE without it being discovered.

solenoid0937 16 hours ago

It would be trivial to discover and would be pretty big news in the security community.

I'd wager most of these comments are from nontechnical people, or technical people that are very far removed from security.

Reply View 6 replies
  • cosmicgadget 16 hours ago

    I'm technical and work in security. Since it is trivial, please explain. Ideally not using a strawman like "well just run strings and look for uploadPlaintextChatsToServer()".

    Reply View 5 replies
    • solenoid0937 16 hours ago

      I don't see why standard RE techniques (DBI/Frida + MITM) wouldn't work, do you?

      WhatsApp is constantly RE'd because it'd be incredibly valuable to discover gaps in its security posture, the community would find any exfil here.

      Reply View 4 replies
      • cosmicgadget 15 hours ago

        If people are trivially hooking IOS and Android applications then sure, it's just an exercise in dynamic analysis.

        Mobile applications are outside my domain so I am surprised platform security (SEL, attestation, etc.) has been so easily defeated.

        Reply View 0 replies
palata 16 hours ago

Before that, Meta employees would know about it. Pretty convinced that someone would leak it.

Reply View 0 replies
beagle3 11 hours ago

This was happening en masse, perhaps still does - the cloud backup was unencrypted. Originally it was encrypted. Then, one day, Google stopped counting it towards your storage quota, but it became unencrypted. But even before that, Meta had the encryption keys (and probably still does).

When you get a new phone, all you need is your phone number to retrieve the past chats from backup; nothing else. That proves, regardless of specifics, that Meta can read your chats - they can send it to any new phone.

So it doesn’t really matter that it is E2EE in transit - they just have to wait for the daily backup, and they can read it then.

Reply View 0 replies
cosmicgadget 16 hours ago

Well they wouldn't be breaking e2ee, they'd be breaking the implicit promise of e2ee. The chats are still inaccessible to intermediaries, they'd just be stored elsewhere. Like Apple and Microsoft do.

I am not familiar with the state of app RE. But between code obfuscators and the difficulty of distinguishing between 'normal' phone home data and user chats when doing static analysis... I'd say it's not out of the question.

Reply View 0 replies