• Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,482
14,171



whatsapp.jpg
Popular third-party chat app WhatsApp is leaving a "forensic trace" of every supposedly deleted chat log, meaning anyone with access to your smartphone -- or another device connected through the cloud -- could potentially access data from the app. The discovery comes from iOS researcher Jonathan Zdziarski, who shared the information in a blog post after discovering the potential security flaw in the latest version of WhatsApp (via The Verge).

Zdziarski tested out his theory by beginning a few chat threads, then archiving, clearing, and deleting them, but found that none of the app's deletion methods, even Clear All Chats, "made any difference in how deleted records were preserved." The central flaw appeared to be in the app's SQLite records, which retained the deleted chats in its database that could be accessed by a harmful individual with the right "popular forensics tools."

In his post, Zdziarski mentioned that the problem isn't unique to WhatsApp, and has even gone into detail about "forensic trace leakage" in Messages on iOS and OS X, and ways Apple could address such privacy issues, in a separate blog post. He explained succinctly that short-lived chats between friends and family using these apps are "not ephemeral on disk," which not only could be a cause for concern with users, but could allow law enforcement legal access to thought-to-be-deleted WhatsApp messages thanks to the lack of encrypted communication between WhatsApp and iCloud.
The core issue here is that ephemeral communication is not ephemeral on disk. This is a problem that Apple has struggled with as well, which I've explained and made design recommendations recently in this blog post.

Apple's iMessage has this problem and it's just as bad, if not worse. Your SMS.db is stored in an iCloud backup, but copies of it also exist on your iPad, your desktop, and anywhere else you receive iMessages. Deleted content also suffers the same fate.
All the same, Zdziarski caps his post by mentioning there's no reason for widespread panic to ignite because of the WhatsApp security flaw, mainly due to the fact that someone with malicious intent would need to jump through so many hoops to finally access the deleted messages. The iOS researcher stated that his purpose was for users to simply "be aware of WhatsApp's footprint." He also gives a few options for users looking to mitigate the issue, including periodically deleting WhatsApp "to flush out the database," disabling iCloud backups, and avoiding the storage of backup passwords in Apple's keychain.

Earlier in the year, Apple reiterated its intent to double down on user privacy and safety within its iCloud platform. Currently, encrypted data saved in iCloud is accessible by Apple with a key, which grants it access to accounts for assistive purposes, like if someone forgets their password. However, with the steadily growing data amassing in users' iCloud accounts -- from texts to pictures and personal health data -- Apple is looking to provide end-to-end encryption in its cloud-based storage platform, meaning not even the company itself could gain access to the accounts of its users even if it wanted to.

Check out Zdziarski's blog post for more details on the issue.

Article Link: WhatsApp Security Flaw Leaves 'Trace of All Your Chats' Even After Deletion
 
  • Like
Reactions: 997440

RichTeer

macrumors member
Aug 13, 2014
93
188
Kelowna, BC, Canada
Whatsapp is a Facebook-owned company so yeah, security flaw.

latest

Humour noted, but in the spirit of fair play, you seem to have missed this point in the original article: "In his post, Zdziarski mentioned that the problem isn't unique to WhatsApp, and has even gone into detail about "forensic trace leakage" in Messages on iOS and OS X, and ways Apple could address such privacy issues, in a separate blog post." (emphasis added).
 
  • Like
Reactions: Keane16
Comment

smacrumon

macrumors 68030
Jan 15, 2016
2,683
4,010
This is just wrong. Someone take this company to court and sort it out.
 
Comment

fabiopigi

macrumors member
Jun 28, 2008
60
16
Wetzikon, Switzerland
You know, the sad thing is, most commenters only read "WhatsApp, security flaw", but the problem is no spefici to Whatsapp, but the SQLite database.

Jonathan even wrote the same flaw exists in iMessage as well. But no... "it's facebook", "iMessage is better", "Don't trust facebook". Yeah there are valid arguments for all these claims, but this security leak is none of them.

Read the whole article at least before you foolishly bash another company.
 
Comment

Altis

macrumors 68030
Sep 10, 2013
2,986
4,481
You know, the sad thing is, most commenters only read "WhatsApp, security flaw", but the problem is no spefici to Whatsapp, but the SQLite database.

Jonathan even wrote the same flaw exists in iMessage as well. But no... "it's facebook", "iMessage is better", "Don't trust facebook". Yeah there are valid arguments for all these claims, but this security leak is none of them.

Read the whole article at least before you foolishly bash another company.

This particular security flaw isn't specific to Whatsapp, but Facebook owning Whatsapp should tell you what level of privacy and security to expect of it.

iMessage still requires an actual intrusion.
 
  • Like
Reactions: Oblivious.Robot
Comment

iapplelove

macrumors 603
Nov 22, 2011
5,222
7,315
East Coast USA
You know, the sad thing is, most commenters only read "WhatsApp, security flaw", but the problem is no spefici to Whatsapp, but the SQLite database.

Jonathan even wrote the same flaw exists in iMessage as well. But no... "it's facebook", "iMessage is better", "Don't trust facebook". Yeah there are valid arguments for all these claims, but this security leak is none of them.

Read the whole article at least before you foolishly bash another company.

Could not have said it better myself.
 
Comment

KALLT

macrumors 603
Sep 23, 2008
5,199
3,251
It is just a systemic problem with databases in general. Programmers do not always contemplate or implement operations that remove entries from databases, sometimes because the data model is just not build that way. As a user, you almost never know how data is stored and how the application or websites handles deletion requests.

For real security, use open source. Signal or Telegram.

Avoid Telegram. Their encryption scheme is home-brewed and a few flaws have already been found, their server-side source code is closed-sourced and their company structure is dubious with a web of shell companies in jurisdictions that do not disclose full details. There is ample to find about Telegram that should make you sceptical, at least if you intend to use Telegram under the assumption that it offers ‘real security’.

Signal and Threema are definitely the more serious contenders.
 
Comment

69Mustang

macrumors 604
Jan 7, 2014
7,809
14,819
In between a rock and a hard place
This particular security flaw isn't specific to Whatsapp, but Facebook owning Whatsapp should tell you what level of privacy and security to expect of it.

iMessage still requires an actual intrusion.
Does it tell you that you should expect the same level of security in iMessage?:rolleyes:

You say iMessage still requires an actual intrusion. Is that, through your omission, an accusation that Whatsapp doesn't require an actual intrusion? I hope that's not the case, because that's pretty disingenuous.
Hey, like Facebook - hate Facebook, who really cares. Trying to tie feelings towards Facebook to a security flaw in Whatsapp is stretching the bounds of sound logic. Trying to differentiate the flaw in Whatsapp and iMessage by saying one requires and actual intrusion... that takes sound logic and shoots it in it's metaphorical head.

To be fair, you may have overlooked this: "Apple's iMessage has this problem and it's just as bad, if not worse."

The most pertinent point? The researcher says there's really nothing to worry about due to the effort it would take for someone to access the messages... in both apps.
 
Comment

MacBH928

Contributor
May 17, 2008
5,815
2,327
What do you expect from a company that paid #20B for a messaging app that has many competitors but does not generate money whatsoever .

There should be like a global non-profit organization that fights and offers other options than those privacy intruding personal data gathering companies.
 
Comment

JosephAW

macrumors 68040
May 14, 2012
3,832
4,556
I'm trying to delete iMessage but it doesn't show an "X"
WHY CAN'T I DELETE IMESSAGE NOW APPLE!
 
Comment

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,388
19,440
What do you expect from a company that paid #20B for a messaging app that has many competitors but does not generate money whatsoever .

There should be like a global non-profit organization that fights and offers other options than those privacy intruding personal data gathering companies.
Well, they didn't really pay it for the app as much as for the users essentially.
 
Comment

MR-LIZARD

macrumors regular
Jan 9, 2012
101
154
UK
It is just a systemic problem with databases in general. Programmers do not always contemplate or implement operations that remove entries from databases, sometimes because the data model is just not build that way. As a user, you almost never know how data is stored and how the application or websites handles deletion requests.

This. This is basic bread and butter for forensic bods and data recovery.

The singling out of WhatsApp (with a brief nod to other Apps and a quick mention of it being an inherent SQLite vacuuming issue) seems to be a bit of a media attention headline.

Any App using an SQLite database can suffer from this issue.

Most file systems suffer from this sort of issue too.
 
  • Like
Reactions: fabiopigi
Comment

Speedy2

macrumors 65816
Nov 19, 2008
1,161
251
This. This is basic bread and butter for forensic bods and data recovery.

The singling out of WhatsApp (with a brief nod to other Apps and a quick mention of it being an inherent SQLite vacuuming issue) seems to be a bit of a media attention headline.

Well, if it helps to get attention to the issue, it's good attention.

Whatsapp implemented proper encryption after they've been pushed by security experts, now they can do it again and help fix another widespread problem. It's so simple to fix really!
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.