Did the author email the WhatsApp team to give them any chance to fix this before they splashed it across the internet for anyone to abuse? The article makes no mention of it, so I assume not.
In my opinion, the obscurity peeled off by this expose did more to endanger WhatsApp users than the bad programming. So, I can only conclude this post's main goal is page views. OP could easily warn them, and at least wait until they didn't do anything before publishing.
My opinion - something so trivial as private data sent in plaintext isn't a bug or a security hole, it's bad by design. You shouldn't have to notify someone they've designed their app poorly. If he was taking advantage of a security hole, or something of that nature that wouldn't already be known to the developers, then I could see notifying them before publishing.
This is an excellent point. Fixing a design flaw this inherent is going to take more than a weekend of frantic dev time. It could conceivably take weeks to implement an overhaul to their framework, all the while the users are vulnerable.
In this case, I think I disagree. A lot of this not just easy for an attacker to find - it is trivially easy for an attacker to find. Letting people know their communications are vulnerable is important, and it's not like they don't have plenty of alternatives.
Just because a skilled attacker can trivially find the information, doesn't mean that the 15 year old kid living next door to you can find it. Now they can.
The problem doesn't stem from giving information to "l33t hax0rz" but rather providing the key information that can be abused by anyone with a computer and half a brain. They are the ones more likely to make use of it in a widespread and destructive manner.
But with that said, most developers don't care if you tell them this stuff directly since it's simply information and not a proof of concept. Until someone starts using it and shows them that its actually a problem that is affecting their product they usually write it off as paranoia.
The whole point is that you didn't have to be a skilled attacker to figure out anything mentioned in the post. If the author had discovered an obscure security hole that allowed him to access sensitive information, then yes he's only going to make the problem worse by distributing that information online.
But it does not take a skilled attacker to "hack" a system where messages are being sent in plain text.
My point is that most of the threats exposed don't take elite hacker, or even "l33t hax0rz", skills to discover. A hugely greater percentage of people are going to hear about this and say, "oh, I should switch to something else" or "oh, I shouldn't say sensitive things" than are going to fail to hear about this and be snooped on by someone who did and wouldn't have figured it out anyway.
Yeah I mostly agree with you, except that I highly doubt that most people who use WhatsApp will actually hear about it having a security issue, let alone care about it.
The security history of WhatsApp is so horrible, it does not seem to make any sense to talk to them. Alone the fact that their app is sending your contact list to their server, without asking you, on every app start, disqualifies the service. Their previous security track record just puts it over the edge.
Because it's always better for only the "bad guys" to know about these exploits? If it's as dead easy broken as the article claims then you can be damn sure a lot of other people already know about it and aren't advertising it. And with such a poorly designed security model do you really expect the App developer to care enough to essentially sepuku in the app stores till they fix it? unlikely.
You else where claim the author doesn't do enough to get the attention of non techie users to justify publishing this? What else could he have done? Spelled it out simpler? he only has his tech blog unless you think maybe he has funds to take out adverts and wishes to spend a small fortune alerting everyone that way?
A friend of mine works for WhatsApp. I tried bringing the original article to his attention, but it went down that day. I've linked him to both articles now.
I agree about the need to disclose such security issues to the authors privately. While I understand the sentiment of others, that it's such an inherent issue in their design that it'll take time to fix, that's not really a reason to not give them a chance. If it had been 1-2 months after disclosure, and it still wasn't fix, then sure, grab your pitchforks. But the initial public disclosure was on Sept. 5. I don't know if there was any private disclosure, but 10 days is not a lot of time to fix these kinds of things.
Nevertheless, I've linked them to it, let's see what they do.
This is the security equivalent of having a giant flashing neon sign saying, "the door is unlocked, please come steal my stuff." That is to say, it's blindingly obvious to anyone who cares to look, so there's no reason to try to hide it, even temporarily.
I'm usually all for "responsible disclosure", but in this particular case, I don't believe that they weren't already aware of these issues. So shaming them was the right thing to do.
In my opinion, the obscurity peeled off by this expose did more to endanger WhatsApp users than the bad programming. So, I can only conclude this post's main goal is page views. OP could easily warn them, and at least wait until they didn't do anything before publishing.