Messenger WhatsApp, owned by Facebook, stores user password two-factor authentication is unencrypted. This was reported in Twitter account edition WABetainfo.
A user has recently discovered that WhatsApp stores the 2FA passcode in plain text in a file in their sandbox.
Being into the sandbox, no other apps can read that file, but there are some cases (in particular the second one) that should force to encrypt the 2FA Code. https://t.co/nmrNSGkKSU
– WABetaInfo (@WABetaInfo) March 22, 2020
two-factor authentication System, further protecting your account from unauthorized access, instant messenger implemented in 2017 year. But it is not implemented like other services, the user should come up with a six digit PIN-code. After activating this password will be requested in addition to the normal access code that WhatsApp sends to your mobile phone when you set up your account on the new device.
It is a user-specified password and are not adequately protected: the researchers found that messenger stores it in plaintext in their “sandbox” of memory, access to which is closed to other applications.
Closed, but not in all cases. For example, you can hack the iPhone, which is supported checkra1n jailbreak, or iOS version that has the vulnerability, providing break-in “sandbox”. As for Android, there’s a “protected area” WhatsApp can be accessed on smartphones, where the owner got yourself superuser permissions (root access).
So that ordinary users using current versions of operating systems and are not conducting non-standard manipulations with their devices, with nothing to worry about. At the same time, the fact that store sensitive password in clear text demonstrates the Facebook approach to ensuring the safety of the userth: where it is possible to save man-hours during development, they will be saved.
Weak protection of messenger owned by Facebook, has repeatedly criticized the head of Telegram Pavel Durov. In his opinion, the developers of WhatsApp are intentionally inserted into the program backdoors, loopholes, allows interested parties to access user data.