Dutch security expert Bass Bosschert said the flaw allowed any app to read and send chat logs.
He fears it could be used by hackers to create ‘rogue’ apps.
‘The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card.
‘And since majority of the people allows everything on their Android device, this is not much of a problem,’ Bas Bosschert wrote on his blog.
He outlined the steps needed – and even provided the code to do it.
‘What do we need to steal someone’s WhatsApp database? First we need a place to store the database,” Bosschert explained.
‘Next thing we need is an Android application which uploads the WhatsApp database to the website.’
He also revealed how to add the required code to an existing app.
‘By doing the magic in the loading screen you can also add this code to a real application instead of the Hello World message you see now.
‘Combine it with something like FlappyBird and a description how to install applications from unknown sources and you can harvest a lot of databases.’
So, we can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases.
‘Facebook didn’t need to buy WhatsApp to read your chats.’
Whatsapp said the claims have been overstated.
‘We are aware of the reports regarding a ‘security flaw,’ it told TechCrunch.
‘Unfortunately, these reports have not painted an accurate picture and are overstated.
‘Under normal circumstances the data on a microSD card is not exposed.
‘However, if a device owner downloads malware or a virus, their phone will be at risk.
‘As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies.’
Source: Daily Mail