A few weeks ago I had a discussion with a couple of my colleagues about WhatsApp and how they might handle their security. We talked about how they could securely identify their users (knowing that they’re never asking for a password) and created some scenarios about how someone could hack into other people’s accounts.
Now, a few weeks later, one of my colleagues sends me this article by Sam Granger and I’m seriously shocked. We also talked about that exact scenario but I would have never thought they’d be that careless about their user’s security… It’s unbelievable, but you should just read it yourself. Here’s a short quote:
As you probably already heard in recent news, 1,000,001 Apple UDID”™s were leaked. It”™s unfortunate that so many apps use UDID”™s to identify users since it”™s extremely insecure.
This brings me to WhatsApp, a free messaging service, used by millions of people. Their system runs on a modified version of XMPP (Extensible Messaging and Presence Protocol). There is nothing wrong with using XMPP, but there is a problem in how WhatsApp handle authentication.
If you installed WhatsApp on an Android device for example, your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).md5(strrev(”˜your-imei-goes-here”™))
When I say Android, I don”™t exclusively mean Android. It just happens to be a different case when it comes to iOS. Windows Mobile, Blackberry etc”¦ might very well have the same password method. It actually wouldn”™t surprise me. WhatsApp on the iPhone might be using your IMEI too, or maybe UDID”™s to generate passwords, but not the exact same method. If I do find out, I will update this post.
Then comes the username. It”™s your phone number (doh).
To obtain both these values is rather simple.