SHA2017 CTF – web 300 write-up

Another challenge written by me was the Web 300 – Eindbazen Election challenge running on This page contains a ranking of all Eindbazen members, a link to the Android voting software and a QR code.

I wrote this challenge, because we had all those cool images created by Thice and because Dutch election software is apparently broken. So I decided to create my own safe election software.

The goal of the challenge is to figure out how the Android application is talking to the website and to see if we can use that to get more information from the database or gain access to the website.


Steal WhatsApp update

When I wrote Steal WhatsApp database (PoC) I never expected it to go viral. I only wrote the article for myself and the few readers of my weblog. My brother and I started the research out of curiosity and ended with this Proof of Concept and blog post. But I’m happy with all the discussion it starts and the awareness it creates by users. My post was not meant to bash Android, WhatsApp or Facebook. I’m a happy consumer of all those products, but only question some design decisions.

However there is some room for some credits and some clarification. (more…)

Steal WhatsApp database (PoC)

“Is it possible to upload and read the WhatsApp chats from another Android application?”

With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr answer is: “Yes, that is possible”.