Is WhatsApp Hacked?

Forbes is reporting that the Israeli cyberweapons arms manufacturer Wintego has a man-in-the-middle exploit against WhatsApp.

It’s a weird story. I’m not sure how they do it, but something doesn’t sound right.

Another possibility is that CatchApp is malware thrust onto a device over Wi-Fi that specifically targets WhatsApp. But it’s almost certain the product cannot crack the latest standard of WhatsApp cryptography, said Matthew Green, a cryptography expert and assistant professor at the Johns Hopkins Information Security Institute. Green, who has been impressed by the quality of the Signal code, added: “They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.

“I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar.

“But the WhatsApp stuff manifestly should not be vulnerable like that. Interesting.”

Neither WhatsApp nor the crypto whizz behind Signal, Moxie Marlinspike, were happy to comment unless more specific details were revealed about the tool’s capability. Either Wintego is embellishing what its real capability is, or it has a set of exploits that the rest of the world doesn’t yet know about.

Posted on October 4, 2016 at 1:47 PM47 Comments


Evan October 4, 2016 5:23 PM

What is the likelihood that the Israeli defense industry has an unpublished cryptanalysis of (e.g.) AES256 that actually practical? I’m inclined to say “little to none”, but I don’t know enough about their projected capabilities to say.

z October 4, 2016 5:34 PM


I seriously doubt that they have any sort of cryptanalytic attack on Rijndael. Side-channel attacks on the implementation? Maybe.

z October 4, 2016 5:35 PM

I meant to say “practical” attack on Rijndael above. I’m sure they do have impractical attacks.

Joe K October 4, 2016 8:36 PM


Does your censorship of @Grey’s link reflect a new policy of @Bruce?

Is there someplace we can read the specifics of that policy?

Joe K October 4, 2016 8:52 PM


My previous query was based on the assumption that @Grey posted a link to a copy of the article (hosted at some site that does not refuse to serve content to web agents that fail to run arbitrary javascript).

But, on a second reading, it seems equally possible that Grey’s comment itself contained the full text of the article in question.

If that second scenario is the case, please forgive my confusion.

LeeHamm October 4, 2016 8:57 PM

@Joe K
Maybe ‘Copyvio’ means copyright violation, in the scenario where the article was copied and pasted. Links make more sense for a new site!

Michael October 4, 2016 10:01 PM

From the article

… detailed contact lists, year-by-year calendars, files, photos, web browsing activity, and more.” It does that by acquiring login credentials for distinct accounts and then silently download “all the data stored therein” …


Where there are no credentials required – with chat apps like WhatsApp and, presumably, Facebook Messenger, Google, Allo, Telegram, etc. – the Extractor can pilfer secured data right from the apps.

This sounds to me much more like they have a WiFi Pineapple and some exploits for Android and iOS that allow them to get root access and siphon off credentials and stored messages rather than any earth shattering AES breaking attack.

For example the libutils bug in android could probably be triggered through DNS or some other service that runs in the background and can be easily MITMed and I’m sure you could get similar bugs in iOS if you looked hard enough or had enough money.

Simon B. October 4, 2016 11:52 PM

I think the easiest way for the attacker would be to use a privilege escalation exploit to read WhatsApp’s memory or read messages from the data folder, I believe they are only protected from other apps, and not encrypted.

This seems to be usual, e.g. Telegram:

Patrick October 5, 2016 1:03 AM

@Moderator: the link to Forbes yields only a blank page. Can you please edit the link to point to a page that shows the article?

Clive Robinson October 5, 2016 1:44 AM

@ Patrick,

… the link to Forbes yields only a blank page.

This has been a standard feature of Forbes for some time now. The last time I looked into it it appeared to be what you would expect with a poorly implemented site starting to switch over to a different revenue model.

@ All,

Mathew Green quoted above is currently involved in a court case against the US DoJ over the DMCA section 1201. He is being “supported” by the EFF and is petitioning the court on First Amendment grounds, and there have been some interesting wriggles at the end of last month. PDFs of which can be found from,

Drone October 5, 2016 2:54 AM

I can read the original Forbes article in-full with no pay-wall at the link provided in the top-post. To do so, I only had to temporarily allow scripting for the the “” site, no others (and there are Many others, all nested like an onion!) Ads were unblocked, but with only scripts allowed there are no ads anyway. If you want the side panel and follow-on articles to show, simply allow scripting for the “” URL as well (no others needed). I’m using FireFox 49.0 with the NoScript plug-in in Linux Mint Cinnamon 17.3. I am located in S.E. Asia. Readers in other geo-locations may see different results. Enjoy…

Clive Robinson October 5, 2016 3:46 AM

In the article, Matthew Green who has looked at the Signal code sufficiently to form an oppinion says,

    They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.

Whilst that is probably correct for attacking the algorithms, it might not be true for the practical implementation. That is the implementation on a device may have various communications time or power side channels that could be exploited.

Further as others above alude to it might involve some kind of malware injected into the device across the air that could get at device drivers etc for the keyboard and screen. However if that were the case you would expect the malware to be broader in scope and not just for WhatsApp.

Hence if I were placing the price of a pint on it I would be looking for some kind of side channel attack….

However it may be easier

Clive Robinson October 5, 2016 5:40 AM

@ Roger,

Is a P2P messaging app like Bleep by Bittorrent Inc. safer and more secure?

Long answer short “no”.

Look at it from an attack developers perspective, to pay for the R&D of a product they need it to be marketable in a relativly short window of opportunity.

Thus they will find and develop attacks for all popular platforms and those that are likely to become popular. They will then try to “guess the market” to sell at an optimum time.

This means that likewise the larger agencies will have also developed attacks, but as they don’t sell product they do not have optimum market considerations to take into account, just getting the job done.

Thus it would be wise to assume that all messaging systems be they instant, Email, VoIP or other are insecure, especially if they are popular or standardised through the more traditional standards organisations.

What you need is a two part solution, a security device and a communications device. At it’s simplest the security device could be an old fashioned One Time Pad, the communications device anything that is currently convenient. What ever else you do never ever use a single device, and never put sensitive plaintext on the communications device no matter how urgent etc.

Provided you folow the rules you need not worry about the security of the communications device. However using as secure a communications device as you reasonably can, has the advantage of making any attackers job that not so little bit harder to isentify you as a person of interest.

Moderator October 5, 2016 7:54 AM

@Joe K, @LeeHamm, @All: Yes, full text of the Forbes article was deleted after posting due to violation of copyright. Per fair use, visitors may include brief, relevant excerpts from copyrighted material in their comments, but not full text. @Patrick: I’ve added a terminal forward slash to the link; if this doesn’t help, a script-blocker may be preventing the page from displaying.

Curious October 5, 2016 8:22 AM

Speaking of passwords, I get annoyed every time I see the login field for a forum where there is also a login feature for Facebook.

The weird thing, to me anyway, is that even though the login field on the top for Facebook is empty, there is a ticker that says “stay logged in” (for Facebook login) and that ticker is enabled by default. So, even if I just enter my credentials to log into the forum and not Facebook, because of the two login fields seemingly being linked as an interface, I sort of wonder if Facebook can “siphen” off forum passwords that way.

Curious October 5, 2016 8:26 AM

To add to what I wrote:
To correct myself. It doesn’t actually say “stay logged in”, but “remember me”.

Daniel October 5, 2016 8:48 AM

Brazilian Federal Police claims to have intercepted whasapp conversations, both on supposed-to-be terrorists and judges who are accused of selling habeas corpus to drug dealers. All is well, but how the feat was done?
In this article, a Brazilian Specialist in security claims that whatsapp had provided the users with compromised keys. I do not know how this would be possible in an end-to-end encryption system.
“First detail is: whatsapp can collaborate, because the app controls key distribution” (tanslation by yours truly).
Original: (Portuguese)

Clive Robinson October 5, 2016 9:12 AM

@ Here’s Johnny,

What about Bit Message is that any good?

I don’t know, because I trust none of them. Therefore I mitigate them by use of a secure device external to anything they might offer.

So I’ve no real need to check any of them from a “secure privacy” aspect.

That said it’s not just the “secure privacy” you need to wory about, but also “secure routing”, and this is an asspect that is a much harder problem to deal with.

Rolf Weber October 5, 2016 9:14 AM

From the brochure:
“Using the WINT interface, the system operator activates CatchApp on the target
‘s device.”
“The CatchApp solution can be activated on virtually all mobile phones running
Android 4.0 or later and iPhones running iOS 7.0 or later.”

I think that makes it clear that the Wifi MITM is used to install some implant on the target’s phone.

Without more technical specification, it is of course much speculation, but I think it’s quite realistic that the device works.

Here's Johnny October 5, 2016 10:45 AM

@Clive Robinson

Bit message is interesting because it encrypts metadata.

Messages get broadcast to everybody which is both it’s biggest strength and weakness. (Only the intended recipient can decrypt the message.)

Like you said it is very hard to communicate securely without owning all the pieces but I think the network is a good idea.

mb October 6, 2016 8:47 PM

Am I missing something here?

The documents support shit. They are old.

The ‘most recent literature’ mentions iOS7 and Android 4 in the last paragraph of the first document and states that 95% of devices run on that.

iOS8 and Android 5 were released in 2014. So this document is most certainly predating WhatsApp encryption by quite a bit.

Moshe Reuven October 7, 2016 3:23 PM

I’m not so sure. There are people around, like the folks who hang out on YCombinator’s “hacker new” that like to blame Israel for everything. I don’t think this is true at all.

Raul October 9, 2016 9:30 AM

Wintego is offering just a wifi interceptor that do man in the middle.
Nothing new.

Signal, whatsapp,etc are ALL fake. I also intercept their communication for last 2 years and post results on

Useless security for kids 🙂

Frank November 21, 2016 8:48 AM is a very reliable hacker. I had him spy on my fiancée and i found out she was cheating on me , that averted and saved me from feature consequences.
He hacks all accounts ranging from email, Facebook, whatsapp and so many others.
Tracking missing people
Cell phone hack and cloning
Background checks
Undoing sent messages
His Kik user name is: ivancode9
Cell line: +1 219-576-6965
The good thing is, he works before taking payment.

Estevez Scarlett April 9, 2017 7:58 AM

Useful article for people who do not understand anything in modern technology and software. It is very simple and affordable even for young children. Who cares, I found a software for tracking the phone Very useful for parents who do not believe their children and want to know the truth.

eric2124 August 8, 2018 4:46 AM

Are you in need of a dependable hacker that will give you instant results?
Then render the best of hacking service with our ever ready hackers with track records on:
School Grades hack
Drivers License
Provide solutions on professional exams:
Hack email
Database hack
Whatsapp hack
Releted data and recovery of messages on cell phone
Money Transfer.
Clearing of criminal records and any hack related issues.They render high grades tech and gadgets if you desire to Spying on anyone.

Jerry Knosworthy March 27, 2019 3:44 PM

My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try..
The result was incredible because all my cheating husband’s text messages, whatsapp, facebook and even phone conversations were wired directly to my cellphone.
CARTER helped me put a round-the-clock monitoring on him and I got concrete evidence of his escapades..
if your spouse is good in hiding his cheating adventures

Benard Smith June 2, 2019 2:36 PM

Please stop loosing your money to petty scammers out there, I have lost thousands to fake hackers. I’m glad I finally found a real and certified one, aceteamhackers helped me spy on my cheating wife’s phone. I was able get unrestricted and unnoticeable access to my cheating husband Facebook account, Email, Whatsapp, Text messages and so on. You can also reach him at (aceteamhackers@GMAILcom) to get your hack done at a really good price, within an efficient time frame.

Stephen Lords August 4, 2019 12:11 PM

Hello,Do you suspect your partner might be cheating on you? Has he/she cheated on you before? Or you want to have idea about your relationship Do you need to gain access to his/her phones contact?. Or you want hack the following: Facebook, Twitter, Myspace, Instagram, Websites hacking, IP addresses and people tracking, Hacking courses and classes.

Availability 24/7 contact only given below address

leon October 9, 2019 9:05 AM

There is only ONE WAY to HACK any PHONE. The ONLY way is to look for a professional hacker who will do it professionally. I have tried so many websites and write-ups but all didn’t work out. Not until i tried hiring a hacker to do it. Since then, i have been spying on my partner’s phone. I got the hacker through +————-7————-9———0————-3————-7—————1—————-2——–4————-2——–6—–2 via whatsapp and his name is Vlad.

Dhanali April 3, 2020 6:31 PM

A friend of mine recommended ARSHAVIN to me when I had issues with my partner,
he started acting suspicious and was on his phone at odd hours. I contacted ARSHAVIN and
he remotely hacked into his device for me letting me have total access to his device without his knowing.
I was shocked and overwhelmed that I could read his texts, see pictures, emails and all that. This guy is
hands down the best I’ve hired. His email:arshavinalberthack at Whats App +1(985)2410059
and I recommend him to everyone reading this post

COLLETTE LUKE December 3, 2020 4:30 AM

I was having real life problems when my friend recommended JOHNHACKER498 AT GMAIL.COM to me. I contacted them because my business partner was shaking me, stealing money from the business and also my spouse was always up at odd hours clearly been cheating on me, so the JOHN HACKER remotely hacked into their devices and granted me total access to their devices without their knowledge. I was overwhelmed that i could see their hidden finances that were off records and read their texts see new and deleted pictures emails call logs, Facebook, WhatsApp Snapchat, emails and all that. Now it’s not just suspicion I have facts and evidences against them. I recommend JOHNHACKER498 AT GMAIL.COM to everyone reading this post.

robertwebb July 26, 2021 8:17 AM

If you ever want to change or up your university grades contact cybergolden hacker he’ll get it done and show a proof of work done before payment. He’s efficient, reliable and affordable. He can also perform all sorts of hacks including text, whatsapp, password decrypt,hack any mobile phone, Escape Bancruptcy, Delete Criminal Records and the rest

Email: cybergoldenhacker at gmail dot com

Mark Beagle August 8, 2021 3:40 AM

I had someone making all sorts of bad comments on my business website, and this was really frustrating
As I was loosing customers whenever they go through my comment section. I read about a hacker who is specialized in removing unwanted items, links , photos etc from google and other platforms. I contacted him and to my surprise he came through, He removed all the bad comments and now I can smile again . If you need anything removed from any social media platform I will advice you contact: linkterminator007 at programmer . Net

Winter May 2, 2022 11:49 AM

comment-284954 Frank November 21, 2016 8:48 AM
comment-404257 Crypto Intel May 2, 2022 11:31 AM

All unsolicited advertising/spam

Amy Brooks July 8, 2022 5:47 PM

I never believed i was going to buy a home for my family until i came across some good comments while surfing online
about a credit hero who has saved a lot of people get their credit fixed. I had no other option and gave him a try,
and to my greatest surprise he came through. Credit hero removed the evictions, school loans , late payments ,
all the negative items affecting my credit and boosted my credit from 513 experian to 800 excellent for an affordable
price. He did all of this in the space of 3 weeks and since then he has been a very good friend
that has been helping me. If you need your credit upgraded too contact : CREDITHERO123 AT G MAIL DOT COM

Arnulfo Vargas September 28, 2022 7:24 AM

I never believed i was going to buy a home for my family until i came across some good comments while surfing online
about a credit hero who has saved a lot of people get their credit fixed. I had no other option and gave him a try,
and to my greatest surprise he came through. Credit hero removed the evictions, school loans , late payments ,
all the negative items affecting my credit and boosted my credit from 513 experian to 800 excellent for an affordable
price. He did all of this in the space of 3 hours and since then he has been a very good friend
that has been helping me. If you need your credit upgraded too contact WHATSAPP = +447920611574

Lisa Anthony September 28, 2022 8:38 PM

Hey guys,
Dont just leave your stolen funds to scammers , you can definitely get it all back if you reach out to this recovery expert called
recoverfunds.investigator247 @ gmail . com . i lost access into my tradestation account that i had all my life savings invested in ,
I thought it was the end of the world for me until i got referred to this recovery expert who saved me. He was able to get me back into
my crypto currency account and i got all my funds back.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.