topic Re: Whatsapp? in Tech Talk

Whatsapp?

rslade — Tue, 18 Dec 2018 20:09:41 GMT

OK, I am being asked to get a Whatsapp account.

Any experience, particularly from the security perspective?

(So far the thing seems only tenatively usable. It's supposedly multiple device, but while getting it installed seems doable, utilizing an account on more than one device seems impossible ...)

Re: Whatsapp?

Shannon — Wed, 19 Dec 2018 02:57:12 GMT

@rslade wrote:
It's supposedly multiple device, but while getting it installed seems doable, utilizing an account on more than one device seems impossible ...

A WhatsApp account is linked to a mobile number. After verification of the number on a mobile device, the account gets linked to the device itself. Should the number expire or the SIM card be removed, the account can still be used --- until it is deleted or set up on another device.

Still, it's possible to use it on at least 2 devices at once with WhatsApp Web --- which requires an active session on the mobile device.

@rslade wrote:
Any experience, particularly from the security perspective?

No doubt the fact that it's been acquired by Facebook has got a lot of us concerned about privacy. WhatsApp allows customization of account settings to enhance security & privacy, but there have been security issues pointed out --- including one exploiting group chats.

Things can go wrong without all this if you don't manage the account properly. When getting a new number, either change the number of the account, or delete the old account & create a new one. When changing the device, either set up the account on the new device or uninstall it from the old device.

In all cases, notify your contacts about the change. If others message an old number using WhatsApp, they'll probably be communicating with the new holder of the number while under the assumption that it's you...

Re: Whatsapp?

CraginS — Wed, 19 Dec 2018 10:39:41 GMT

@rslade wrote:
...Whatsapp account. ...
Any experience, particularly from the security perspective?

Never used it, Never will: Facebook owns Whatsapp.

Say no more.

Re: Whatsapp?

rslade — Wed, 19 Dec 2018 18:13:42 GMT

> Shannon (Contributor III) posted a new reply in Tech Talk on 12-18-2018 09:57 PM

> WhatsApp account is linked to a mobile number. After
> verification of the number on a mobile device, the account gets linked to
> the device itself.

Yeah. Royal pain. I have an old Windows phone that never has been used as a
phone: I used it as a mini-tablet until it got so old/unsupported that not even
Twitter would work anymore. (I think that was in the mass swithover to https.)
It installed Whatsapp all right, and I used my cell number to activate it fine.
But then when I activated the cell phone itself, the Windows phone immediately
popped up a message that it was no longer verified. Understandable, I suppose,
but unsettling.

> Should the number expire or the SIM card be removed, the
> account can still be used --- until it is deleted or set up on another device.

As noted above. I'm looking into the use of burner numbers, but nothing, so far,
seems reliable.

> Still, it's possible to use it on at least 2 devices at once with WhatsApp
> Web --- which requires an active session on the mobile device.

Yeah, mean to test that out when I get a chance. The whole QR code thing seems
weird: do you have to verify with the QR code rigmarole every time you want to
use it on the computer? Can you use it on two computers? I've noticed that the
QR code flickers while sitting on the screen: I assume it is changing (every 15
seconds?)

> No
> doubt the fact that it's been acquired by Facebook has got a lot of us
> concerned about privacy.

No kidding.

> WhatsApp allows customization of account settings to
> enhance security & privacy,

>From a first look, those settings seems pretty cosmetic: mostly about who can see
your profile, etc.

> but there haveÂ been security issues pointed out ---
> including one exploiting group chats. Things can go wrong without all this if
> you don't manage the account properly.

One one my concerns: what is "properly"?

> When getting a new number, either
> change the number of the account, or delete the old account & create a new one.
> When changing the device, either set up the account on the new device or
> uninstall it from the old device. Â In all cases, notify your contacts about
> the change. If others message an old number using WhatsApp, they'll probably be
> communicating with the new holder of the number while under the assumption that
> it's you...

I remember an old Blackberry bug along those lines ...

You mentioned Whatsapp security groups. Can you give me more info about
those?

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
This taught me a lesson, but I'm not sure what it is. - John McEnroe
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Whatsapp?

Shannon — Thu, 20 Dec 2018 05:36:09 GMT

@rslade wrote:
do you have to verify with the QR code rigmarole every time you want to
use it on the computer? Can you use it on two computers?

It's supposed to be limited to a single WhatsApp session per account, but frankly, the session management is confusing. If a specific computer's WhatsApp session ends, it prompts you to re-scan the QR code, but to do that you have to log out from sessions on the WhatsApp phone application --- which makes no sense if it was a single session in the 1st place.

@rslade wrote:
You mentioned Whatsapp security groups. Can you give me more info about
those?

Not security groups, just a means of facilitating communication with multiple parties. Seems that joining the groups is mandated --- should anyone add you to a group, you'll be in without even an invitation to accept..! Preventing it from happening requires that you block a group admin --- but to do that you need to know who the admin is in the 1st place, & groups often have many admins. (The only consolation is that you can mute the groups, so that you won't be bothered with notifications)

Re: Whatsapp?

rslade — Thu, 20 Dec 2018 17:20:42 GMT

> Shannon (Contributor III) posted a new reply in Tech Talk on 12-20-2018 12:36 AM

> @rslade wrote: do you have to verify with the QR code rigmarole every time you
> want to use it on the computer? Can you use it on two computers?

> It's supposed
> to be limited to a single WhatsApp session per account, but frankly, the session
> management is confusing. If a specific computer's WhatsApp session ends, it
> prompts you to re-scan the QR code, but to do that you have to log out from
> sessions on the WhatsApp phone application --- which makes no sense if it was a
> single session in the 1st place.

Yes, you're right: that does sound odd.

> @rslade wrote: You mentioned Whatsapp
> security groups. Can you give me more info about those?

> Not security
> groups, just a means of facilitating communication with multiple parties. Seems
> that joining the groups is mandated --- should anyone add you to a group, you'll
> be in without even an invitation to accept..! Preventing it from happening
> requires that you block a group admin --- but to do that you need to know who
> the admin is in the 1st place, & groups often have many admins. (The only
> consolation is that you can mute the groups, so that you won't be bothered with
> notifications)

Ah, I had thought you were talking about specific security resources or sources of
info. Your notes are interesting on two fronts, particularly since the person who
wanted me (and others) to get into Whatsapp keeps mentioning groups ...

Thanks, Shannon, your background and experience is helpful.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The truth shall make ye fret - Terry Pratchett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB