Nataliya Portnova’s Post

Ever wondered why do we sometimes see this notification on Whatsapp!! The message “Waiting for this message. This may take a while” happens because of how end-to-end encryption (E2EE) is designed. 1. End-to-End Encryption Model * WhatsApp uses the Signal Protocol for encryption. * Messages are encrypted on the sender’s device and can only be decrypted on the recipient’s device. * WhatsApp servers do not have the decryption keys, they just act as a relay. This ensures privacy but introduces dependency on key availability. 2. Why “Waiting for this message” Happens This message usually appears when the encryption keys needed to decrypt a message are not yet available on your device. Common scenarios: a. Device Reinstall / Change * If you or the sender recently reinstalled WhatsApp or switched devices, new encryption keys are generated. * The message was encrypted with old keys → your device waits to receive the new session keys. b. Offline Recipient * If the sender is offline when the encryption session resets, your device cannot fetch the latest keys until the sender comes online. c. Multi-Device Setup * With WhatsApp multi-device, each device maintains its own encryption keys. * If one of the linked devices hasn’t synced yet, you may see this message. 3. System Design Tradeoffs From a distributed systems and security design perspective: * Security First: Keys are not stored on servers (prevents breaches), but this means key exchange depends fully on online devices. * Eventual Consistency: The system guarantees that once both devices are online and exchange keys, the pending message gets decrypted. Until then, you see this placeholder. * Stateless Servers: WhatsApp servers don’t keep decryption metadata, making the system highly scalable but at the cost of occasional delays like this. Think of it like a secure locker: * Sender locks a box with a key only you have. * If you lost/replaced your lock/key, you can’t open it until the sender provides a fresh key for your new lock. * The message “Waiting for this message” is basically WhatsApp saying: “We have the locked box, but we’re still waiting for the right key from the other side.” Follow Hitesh Garg for more 🫡 #whatsapp #systemdesign

My CISO Daily 1) WhatsApp zero‑day chain patched (CVE‑2025‑55177 + Apple CVE‑2025‑43300) Why it matters: A zero‑click in WhatsApp exploited in the wild, likely chained with an Apple ImageIO zero‑day, enables device compromise and covert surveillance—high‑value execs and comms teams are prime targets. Who is affected: WhatsApp for iOS < 2.25.21.73, WhatsApp Business for iOS < 2.25.21.78, WhatsApp for Mac < 2.25.21.78; Apple iOS/iPadOS/macOS versions prior to the Aug 20 ImageIO fix. Immediate actions: • Upgrade WhatsApp across iOS/macOS fleets via MDM; enforce OS updates carrying CVE‑2025‑43300. • Notify at‑risk users (execs, journalists) and verify device health; if targeted, follow vendor guidance (incl. factory reset where applicable). • Monitor for unusual iCloud/Apple ID and WhatsApp session activity. 2) Malvertising campaign pushes “AppSuite PDF Editor” to drop TamperedChef infostealer Why it matters: Google Ads–driven distribution of a convincing PDF editor lures staff, then (after ~56 days dormancy) steals browser credentials/cookies—direct route to account takeover and lateral movement. Who is affected: Windows endpoints where users can install software; orgs allowing ad‑driven downloads; roles handling documents (finance, HR, legal, sales). Immediate actions: • Block/eradicate “AppSuite PDF Editor” and related domains; hunt for persistence (Run keys/scheduled tasks) and DPAPI access patterns; rotate browser‑stored creds. • Tighten application allow‑listing and web filtering (ads/malvertising); alert users to avoid ad‑served “free editors.” • Add IOCs from reports to EDR/SIEM and watch for cookie theft–style logins.

🔐 Think your SMS is safe? Think again. Spoiler alert: It's like sending a postcard in the digital age. But don't worry, there's a better way. Enter Signal: the app that treats your messages like a secret handshake. With end-to-end encryption, your chats are between you and the recipient no one else. Why settle for less when you can have privacy that even your snoopy neighbour can't crack? 👉 Dive into our latest article to discover how Signal keeps your conversations truly private. https://lnkd.in/d8nHKYxw #SignalApp #DigitalPrivacy #SecureMessaging #EndToEndEncryption #StaySafeOnline

A WhatsApp account was compromised by an unauthorized individual, who changed the recovery email to one under their control and contacted the account’s contacts. The following actions were taken to mitigate further risk: 1- Contacted the mobile carrier to change the account PIN and verified that no unauthorized devices were linked to the SIM cards. 2- Rebooted the phone to remove any potentially hidden or malicious applications. 3- Reinstalled WhatsApp and restored the recovery email to the legitimate address, documenting the hacker-controlled email for reference. 4- Attempted to enable two-step verification; however, this feature had been temporarily disabled by the unauthorized party. 5- Used the broadcast list created by the intruder to send a warning message to all contacts, alerting them to the compromise. 6- Contacted WhatsApp support to request immediate account deactivation. When no response was received, the app was permanently deleted, including all associated messages, photos, and contacts, to prevent further unauthorized access. This report documents the unauthorized access and the measures taken to secure the account and notify potentially affected contacts.

Is it just me or did all websites on the internet suddenly enforce two step verification in recent times? Don't get me wrong, as someone who works in security, it's a great measure and something that needed to be done for a while now. But, as I try to keep my phone out of reach, the number of times I have to get up and open my authenticator app, then get distracted by a WhatsApp message... Tip: in order to reduce two step verification fatigue, only turn it on for accounts that are sensitive/important to you. It doesn't need to be turned on everywhere :) At least I'm getting more steps! Who'd have thought security could make you more active?

🚀 Key Verification is here! Tuta protects all your data with quantum-safe encryption. To increase security even further, you can now verify keys in Tuta Mail & Tuta Calendar. 🔒 Make sure, no one snoops in on your conversation... Without key verification, you can’t be 100% sure that the emails you send will not be tampered with by a monster-in-the-middle. 👹 Verify keys now in the desktop client (or in a few days in our mobile apps). Should keys change, Tuta will warn you. ⚠️ This gives you full control: You can verify your contacts' keys and be confident your emails stay between you and them - with no one in the middle. 💌🔐 If you don't verify keys, TOFU (Trust On First Use) still makes sure, your conversation stays secure. 🔑 Read more: ➡️ https://lnkd.in/egqshRSX

Spring is in the air, and it’s the perfect time to clean up and secure the one device we all use more than any other - our mobile phones. Your phone holds your messages, photos, passwords, banking apps, emails and more, all of which are of value to cybercriminals. Take a few extra steps this spring to secure your mobile phone from prying eyes by: • updating weak or reused passwords (use a secure password manager) • using biometrics (fingerprint or face ID) instead of a password or PIN • removing apps you no longer need • reviewing what apps can access your photos, camera or mic • installing the latest software update • turning on automatic updates (including for apps). Learn more 👉 https://lnkd.in/gHwsKF9m

Mobile security doesn’t always receive the same priority as laptops do, while these devices often process the same sensitive corporate data. We enforce only PIN codes then grant access. Why do we treat mobiles differently? #MTD #mobilethreats #mobilesecurity

Regulatory Alert! Australia: Telstra Express Concerns Over Scams on Encrypted Messaging Apps. Telstra, one of Australia’s largest telecommunications companies, expresses concerns over scam surges on encrypted messaging platforms such as WhatsApp, Telegram, and Signal. While these platforms are designed to protect privacy, they are now being used to bypass traditional scam filters. Telstra reports that it is currently blocking over 18 million scam calls each month. This development highlights growing tensions across the Asia-Pacific region, where regulators and telecom operators are struggling to balance user privacy with public safety. Accordingly, this points to a broader global debate: should encrypted communication remain fully private, or will platforms need to choose between maintaining encryption and complying with regulatory demands to ensure public safety? Further Reading: https://lnkd.in/gxyywQiH

⏰ It's Subarea 3: Life Online! What's the most common online security threat you've encountered? Tell us how you handled it! 👉 Navigating "Life Online" safely and effectively is crucial. This includes understanding privacy policies, managing your online reputation, and recognizing attempts to access your personal information. Whether you're using an online form to open a bank account or utilizing a ridesharing app, being digitally literate helps you stay safe and accomplish everyday tasks. #TechTip #DistanceLearning #TWC #DigitalLiteracy #DistanceEducation #AdultEducationMatters #techtips #TAMU #tcall #depdc