WhatsApp is using IMEI numbers as passwords

As you probably already heard in recent news, 1,000,001 Apple UDID’s were leaked. It’s unfortunate that so many apps use UDID’s to identify users since it’s extremely insecure.

This brings me to WhatsApp, a free messaging service, used by millions of people. Their system runs on a modified version of XMPP (Extensible Messaging and Presence Protocol). There is nothing wrong with using XMPP, but there is a problem in how WhatsApp handle authentication.

If you installed WhatsApp on an Android device for example, your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).

md5(strrev(‘your-imei-goes-here’))

When I say Android, I don’t exclusively mean Android. It just happens to be a different case when it comes to iOS. Windows Mobile, Blackberry etc… might very well have the same password method. It actually wouldn’t surprise me. WhatsApp on the iPhone might be using your IMEI too, or maybe UDID’s to generate passwords, but not the exact same method. If I do find out, I will update this post.

Then comes the username. It’s your phone number (doh).

To obtain both these values is rather simple.

Examples:
1. You have direct access to your victims phone, in which case you dial & call *#06# (in most cases) and you’ve got their IMEI number.
2. You develop an app that silently sends the victims IMEI number to your server in the background (many applications do this already) & phone number, either by letting them fill it in themselves in a registration part of your app, or also silently (this method however isn’t always airtight but works in a lot of cases).
3. A hacker leaks a database/file with IMEI numbers with associated phone numbers, ding ding ding!
4. A spammer buys this information from an app developer.

Time for some Android code examples..

Android code example to retrieve IMEI number:
TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);

String device_id = tm.getDeviceId();

To retrieve the victims phone number:
TelephonyManager tMgr =(TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE); mPhoneNumber = tMgr.getLine1Number();

You can also retrieve the users voicemail number too just in case:
TelephonyManager.getCompleteVoiceMailNumber()

Using this information allows you to intercept and send messages from your victims account.

This could mess up peoples lives if you use their account to send a message to someone they know, with any kind of f’ed up message. This could cause huge problems for your victim, especially if the receiver of the message is mentally unstable. It might sound dramatic, but it’s feasible.

You could intercept naked photos & other sensitive personal messages.

Alternatively, you could just spam the hell out of WhatsApp, especially if you have a nice big database.

Is this already happening? It wouldn’t surprise me if it is. I’ve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and I’m not even a “hardcore hacker”.

Do you use WhatsApp? Think twice before you send a private WhatsApp message. Think twice when you receive a messed up WhatsApp message. You don’t know what’s going on in the background.

And WhatsApp, if you are reading this, get your act together. People expect a secure system when it comes to personal messaging. And with the amount of customers you have, you should be taking better security measures. I sincerely hope you fix this issue soon.

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

Ps. Don’t get me wrong, I love WhatsApp. But it’s far from “secure”.

Want to talk along? Got any further questions? Comment below, or on Hacker News.

– UPDATE –
It seems that WhatsApp has made a change in their authentication system. I am not sure what they exactly changed, but if I find out more I will let you all know. My method no longer works.

– UPDATE 2 –
It looks like they didn’t change all that much…

– UPDATE 3 –
Ezio Modio claims to have found how WhatsApp passwords are generated for iOS. I’m yet to test it, but sounds promising. http://www.ezioamodio.it/?p=29

– PUBLICITY –
The Next Web
Globo.com
Security.nl
Slashdot.org
H-Online.com
WebWereld.nl
Welt.de
PCWelt.de
Leggo.it
Corriere.it

58 Responses.

Artful Dodger September 5, 2012 / Reply
Interesting article and props on the find but wouldn’t it have been better to simply let WhatsApp know about this and let them get back to you with what action they’re going to take BEFORE publishing it?

Ordog September 6, 2012 / Reply
He is just reporting how they do it.
They are fully aware of how they do their security, and they must realise that what he describes here is possible, otherwise they are really really bad at what they do and whatsapp is otherwise a fully functional product.
They just decided it was unlikely that IMEI/UUID databases would show up on the net somewhere, along with personal data to identify the person behind the number so it can be used as a feasible attack vector even without having contact with the person or their hardware.
The real issue here, is that the leaked database even exists.
webrebell September 6, 2012 / Reply
Don’t blame the messenger! And by that way I don’t mean WhatsApp.
Gloria September 9, 2012 / Reply
And lose all those visitors, comments and fuss? Nah

Mustafa September 5, 2012 / Reply
FYI The article date is MAY 23, 2012 but it is talking about Apple UDID problem (today is SEPTEMBER 9, 2012). I think something is wrong.

Sam Granger September 5, 2012 / Reply Sam Granger Author
Thanks, you’re correct! I edited the default WordPress post, my mistake (doh)!
No September 6, 2012 / Reply
Today is actually September 5, not 9.

Nirvana Tikku September 5, 2012 / Reply
I had discovered a while back that whatsapp was storing all chat logs in a unencrypted sqlite file on the SD card in both Android and BlackBerry. Not sure if that’s still the case, but definitely agree that they need to pay more attention to security.

Mario Vilas September 6, 2012 / Reply
Now it’s encrypted with a hardcoded AES key. You can find several public tools to decrypt the databases.

Black September 5, 2012 / Reply
Not only chatlogs, on Nokia devices, it keeps a list of all the files transferred, WiFi, GPRS access points connected to, etc in a plain unencrypted directory – WALogs. Check it for the meat.

Sam Granger September 5, 2012 / Reply Sam Granger Author
Yikes!!!!!!!!!!!

Nathan September 5, 2012 / Reply
“with an MD5 encryption thrown on top”

MD5 is a cryptographic hash — not a form of encryption.

Sam Granger September 5, 2012 / Reply Sam Granger Author
Doh, silly me!! – let me update my post
Daniel Serodio September 5, 2012 / Reply
And a lousy cryptographic hash, which “should be considered cryptographically broken and unsuitable for further use” (see Wikipedia for details).

Ignorant September 5, 2012 / Reply
excuse my ignorance, but what good does an IMEI number?

Dub September 6, 2012 / Reply
Your provider can block it so the mobile phone is useless to the thief. If the mobile is turned on you can even triangulate the location of your phone if it has been stolen.

ArMyZ September 5, 2012 / Reply
Interesting, thank you: I’ll take a look at code as well.
I think we’ll see whatsapp updates & fixes soon.
In the last one they added cryptography to single/group messages both via wifi and mobile carrier (well, without specifying the cryptographic method).
Max September 5, 2012 / Reply
only thing you need is to change your IMEI?
Correct?
Matthew Parlane September 5, 2012 / Reply
MD5 is a cryptographic hash function, it is NOT encryption.
Sam Granger | WhatsApp is using IMEI numbers as passwords | Security & Hacktivism | Scoop.it September 5, 2012 / Reply
[...] [...]

parser_failed September 6, 2012 / Reply
Interesting post. Many thanks for pointing it out. My only question is how did you find out ?

Nick September 5, 2012 / Reply
“this method however isn’t always waterproof”

I think “airtight” is the word you’re looking for.

Sam Granger September 5, 2012 / Reply Sam Granger Author
*Quickly changes*

Joe September 5, 2012 / Reply
Or bulletproof.

I suppose it’s kind of a mixed metaphor. Airtight and watertight are similar (although somewhat different). So airtight, watertight, waterproof. Waterproof sounds like bulletproof. Did I successfully reverse engineer your brain?

Sam Granger September 5, 2012 / Reply Sam Granger Author
You kind of did! I’m British but live in the Netherlands. We say water dicht here which means waterproof so that’s where it went wrong I reckon .

Arianna September 5, 2012 / Reply
Wow, that’s pretty alarming. I just started using WhatsApp and I generally like it, but the lack of security is uncomfortable. Thanks for pointing it out.
Albert September 6, 2012 / Reply
Grate article and well noted, I will share the information with others. Thanks
WhatsApp Insecure Authentication Using IMEI Hash Password ; WhatsApp Vulnerability September 6, 2012 / Reply
[...] interesting analysis by Sam Granger points out how easy it is to leverage this information, and actually get access to a user account. [...]
James September 6, 2012 / Reply
The IMEI is not obtainable from iOS using the official SDK. Apple doesn’t provide any documented API to obtain the IMEI, so apps on the app store cannot get at it. Jailbroken phones are more at risk, but since What’s App is an App Store app, it’s safe to say that it isn’t using the IMEI on an iPhone.

Fred September 9, 2012 / Reply
Apps such as Good Technologies ask for your UDID…

Varun September 6, 2012 / Reply
If you change the SIM card on your phone, you lose your old messages and get them back when you change back (so they do associate the messages to a phone number/IMEI). I noticed this on a recent trip to the US where I changed my sim card to a US number (WhatsApp did a new auth) and all my old messages disappeared. However, when I changed back I got the old messages back but all the new messages were retained.

Leandros September 6, 2012 / Reply
My contract run out in the last days and I got a new with a new phone number. My WhatsApp messages are all there and my contacts on WhatsApp see my old number.
WhatsApp seems a bit random.

WhatsApp Uses a Potentially Insecure Authentication Mechanism | Free SEO Tips Tricks September 6, 2012 / Reply
[...] interesting analysis by Sam Granger points out how easy it is to leverage this information, and actually get access to a user account. [...]
Nicolai September 6, 2012 / Reply
You can’t access the phone number from within the sandbox, therefore there shouldn’t be any risk for iOS Users.

Sam Granger September 6, 2012 / Reply Sam Granger Author
Awesome, I’m still trying to figure out Whatsapp’s method on the iPhone. If I find out, I’ll write a separate blog post.

Nicolai September 6, 2012 / Reply
Maybe you could do some logging with Mobile Substrate or reverse engineer the WhatsApp classes. For that you need to crack the WhatsApp App on your iPhone and extract the binary to your pc. There you can use “class-dump-z” to extract the classes. Maybe this can help you.

Oh, and the UDID is depracted so it’d be interesting if they have some other method or if they still use the UDID..

Pathak September 6, 2012 / Reply
Don’t believe in this shit, m even a Engineer of Computers ! Haven’t seen whatsapp asking 4 any password. & if There’s anything is like then m using BlackBerry & I don’t fear of these small hacks.

Wilson September 9, 2012 / Reply
No wonder dicks like you don’t deserve privacy. First, learn to compose a sentence which makes sense before expressing your views.
Blade September 10, 2012 / Reply
That’s the point, Mr. “Engineer of Computers”. It automatically uses your device’s serial number (technically, your IMEI, but calling it a “serial number” is easier) as your password. It’s inherently insecure, as any app can access your phone number and device serial number (at least on everything that isn’t webOS or iOS), and then impersonate you.

Until they wrote a completely new iOS authentication system in 2.8, anyone could, in two calls to “curl” or “wget” hijack everyone on the planet’s WA account using that data, and prevent you from using it. As is, with that data, they can login and impersonate you.

If someone were to generate a database of phone numbers and device IMEI numbers, that leaked to the internet somehow, everyone on that list who had whatsapp would be in immediate danger of being impersonated.

WhatsApp for Android could be vulnerable to hijacking due to IMEI-based password | Bitmag September 6, 2012 / Reply
[...] 1 million unique Apple device IDs, mobile security has been on a lot of minds. One web developer is now calling attention to a possible security risk in the popular WhatsApp messaging service on Android that could result [...]
Quora September 6, 2012 / Reply
How secure is Whatsapp? What does the company have to say about this article? http://samgranger.com/whatsapp-is-using-imei-numbers-as-passwords/…

…
Winston Smith September 6, 2012 / Reply
Sam, props for discovering this.
I still do not fully grasp how it works.
Once you have a victim’s IMEI and number, how do you want to access their profile and,e.g. send and receive messages in their name? You would have to have access to their phone,not? Or is there some sort of other interface to send/receive messages?

Sam Granger September 6, 2012 / Reply Sam Granger Author
You’d be able to login to their account from wherever you want, using a pc or web server for example. You just have to interact with their “private API”. I could post some samples if you are interested.

Leandros September 6, 2012 / Reply
I would be interessted.
I have a idea how to do it, but I’am not sure.

But I can’t understand why WhatsApp use those personald data, Google even posted a blog article about a method to retreive a unique id for each device installation (http://android-developers.blogspot.de/2011/03/identifying-app-installations.html)
jmzc September 7, 2012 / Reply
And receive/intercept message ?
Does Whatsapp broadcast sent messages to all devices logged ?
Eugen September 7, 2012 / Reply
it would be great, if you can post some examples.
Winston Smith September 8, 2012 / Reply
Hey Sam, I did some research and stumpled upon the venomous0x API and its various pull requests. Still I was not able to do what you apparently were able to do. Could you post some code examples or give further insight in what methods/devices you used to achieve what you have done?

Minecraft-App in neuer Version mit Creepern – Whatsapp setzt auf IMEI-Passwörter | iPhone-Ticker September 6, 2012 / Reply
[...] Whatsapp mit auf den Weg ins Wochenende geben. Die Chat-App setzt intern (dies bestätigt dieser Blog Eintrag von Sam Granger) auf die IMEI-Nummern ihrer Nutzer zur Authentifikation und speichert sowohl IMEI als auch [...]
WhatsApp unter Umständen angreifbar September 6, 2012 / Reply
[...] IMEI irgendeinem bekannt, dann könnte dieser neue Chats über euer Konto initiieren. Sam Granger beschreibt in seinem Blog, wie gering der Aufwand ist – und wie sich theoretisch die Lücke ausnutzen ließe. Mir [...]
WhatsApp utiliza números IMEI como contraseñas September 6, 2012 / Reply
[...] WhatsApp is using IMEI numbers as passwords http://samgranger.com/whatsapp-is-using-imei-numbers-as-passwords/ [...]
pablo September 6, 2012 / Reply
WhatsApp is a no-configuration app, so they need to use something that any app can have access to as authentication. So it’s not about using MD5 or the IMEI, it’s (from a security standpoint) conceptually broken. Any other app can replicate what they do if they don’t ask the user to authenticate. A secure option would be to partner to some provider like google and use OAuth tokens or some other Single-Sign-On system.
XenGi September 6, 2012 / Reply
It’s simple. People are stupid and they don’t care about security. So Whatsapp Inc. please don’t fix this! It’s just another easy door for the ones who are aware of security to control the dummies.

Giuliano September 8, 2012 / Reply
Are you sure that the stupid is who doesn’t care too much to security and there aren’t too many that are mentally ill about security? What is the problem if someone reads my personal messages? I even wonder why someone may be interested to them!

Sam Granger September 8, 2012 / Reply Sam Granger Author
For some, sure, but some people use whatsapp for sending private messages they don’t want others to see..

Oguzhan September 10, 2012 / Reply
If you ask me you shouldn’t use a free service to send private/sensible data. If a product is free, YOU are the product.

La contraseña de WhatsApp es su IMEI (o casi) | Revista Tecnología & Seguridad September 6, 2012 / Reply
[...] Fuente: Sam Granger [...]
WhatsApp Messenger For Android Not Secure; Uses Phone Number and IMEI For Credentials | iJailbreak.com September 7, 2012 / Reply
[...] the service seems to have another potential flaw. According to a Hacker News Network thread and Sam Granger’s blog the Android version of WhatsApp uses a phone number and a cryptographically tweaked version of the [...]
The Android Version Of WhatsApp May Not Be So Secure; Uses Phone Number And IMEI For Credentials | Blog September 7, 2012 / Reply
[...] another potential flaw. According t&#959 a Hacker News Network thread &#1072n&#1281 Sam Granger’s blog th&#1077 Android version &#959f WhatsApp uses a phone number &#1072n&#1281 a cryptographically [...]
The Android Version Of WhatsApp May Not Be So Secure; Uses Phone Number And IMEI For Credentials — jailbreakjunkie.com September 7, 2012 / Reply
[...] the service seems to have another potential flaw. According to a Hacker News Network thread and Sam Granger’s blog the Android version of WhatsApp uses a phone number and a cryptographically tweaked version of the [...]
Anonymous September 7, 2012 / Reply
[...] [...]
Bull September 7, 2012 / Reply
I wanna see some scripts how you are going to do anything of the things you claim about from an app you developed. Mostly to see the person’s messages and send messages on their behalf.
WhatsApp: Sicherheitslücke ermöglicht Kapern fremder Accounts September 7, 2012 / Reply
[...] Sam Granger: WhatsApp is using IMEI numbers as passwords [via Hacker News] WhatsApp: Sicherheitslücke ermöglicht Kapern fremder Accounts Bisher noch keine Bewertung Loading … Twittern !function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs"); Verwandte ArtikelDropbox Zwei-Wege-Verifikation für mehr Sicherheit verfügbarWhatsApp Messenger-App stellt neuen Rekord aufWhatsApp Nachrichtendienst jetzt mit Verschlüsselung /* */ /* */ /* */ Anzeige GA_googleFillSlot("AN-Detail-oben-MRec"); androidnext anderswo Letzte Kommentare Passende Angebote getProductData('28856'); Tipp senden Über unser Tipp-Formular könnt ihr uns eure Insider-Informationen senden, gerne auch anonym. androidnext anderswo [...]
JCagain Blog – WhatsApp: Popular Free Messaging Service Puts Users At Risk September 7, 2012 / Reply
[...] as failure-resistant as one would expect from a market leader. In his blog British web developer Sam Granger writes that any relatively ambitious hacker could get into WhatsApp accounts without a problem, [...]
Mike Nonslo September 7, 2012 / Reply
Hell but whats the way to inject the user/password into Whatsapp …
another Question:
Will you and your vicitm get the messages OR will only one of both get the message ?

Sam Granger September 8, 2012 / Reply Sam Granger Author
Only one of both. WhatsApp deletes the message after delivery.

WhatsApp: Sicherheitslücke ermöglicht Kapern fremder Accounts | Mein online Gedanken Buch September 7, 2012 / Reply
[...] Sam Granger, der das WhatsApp-Sicherheitsproblem entdeckt und dokumentiert hat, schreibt, dass es in einem Test problemlos möglich war, eine gefälschte WhatsApp-Nachricht zu verschicken, die von einem (eingeweihten) Bekannten zu stammen schien. [...]
DeFaNet Blog – Whatsapp a rischio:”Gli hacker entrano negli Account senza problemi” September 8, 2012 / Reply
[...] delle appliccazioni meno sicure per smartphone.Sam Granger,uno sviluppatore web,ha spiegato nel suo blog che qualsiasi hacker e’ in grado di violare un account whatsapp dovuto alla semplicità nella [...]
WhatsApp poco sicura la versione Android | Sentio September 8, 2012 / Reply
[...] fonte: samgranger.com [...]
Whatsapp mette in pericolo la privacy: “Gli account sono a portata di hacker” | Ultime Notizie Flash September 8, 2012 / Reply
[...] per quanto riguarda la vulnerabilità del servizio per Android. Sam Granger, uno sviluppatore web, ha spiegato in una nota del suo blog che è facilissimo, per un hacker, rubare senza difficoltà uno o più account di WhatsApp, per [...]
md5 decrypt September 8, 2012 / Reply
hello!,I like your writing very much! share we be in contact extra approximately your article on AOL? I require an expert in this space to solve my problem. May be that is you! Looking ahead to peer you.
WhatsApp: Sicherheitslücke ermöglicht Kapern fremder Accounts Androidbox.org | Androidbox.org September 8, 2012 / Reply
[...] Sam Granger: WhatsApp is using IMEI numbers as passwords [via Hacker News] [...]
Chris Desjardins September 9, 2012 / Reply
Yup, it turns out that BlackBerry also uses IMEI, and iPhone uses its UDID, and we wrote code to use WhatsApp on your PC:
https://github.com/cdesjardins/WhatsAPI

Unfortunately just 2 days ago WhatsApp made some change that renders this code useless… until we figure it out again that is…

Sam Granger September 9, 2012 / Reply Sam Granger Author
I’m experiencing the same.

Sam Granger | WhatsApp is using IMEI numbers as passwords | Moda&Notizie 2012 September 9, 2012 / Reply
[...] more: Sam Granger | WhatsApp is using IMEI numbers as passwords Posted in Uncategorized Tags: account-sono, british, dicht-here, flash, netherlands, say-water, [...]
misato September 9, 2012 / Reply
Hi!

I was using the Whatsapp api last weekend just to play around with it, and the IMEI is not working for Windows Phone 7. I guess, they are probably using the device ID, but i was trying to connect with both (IMEI and DeviceID, reversed, without reversing, md5 and all other possibilities) but with no success
I think that the IMEI identification it’s only for Android, because i don’t remember any method to get the IMEI from the iOS SDK.
I would apreciate if you have any other info, so that we can understand the way they do it. I’ll keep trying with my win phone

Anyway, nice blog post, thanks!
WhatsApp รุ่นใหม่เข้ารหัสแล้ว แต่ใช้เลข IMEI เป็นรหัสผ่าน | PantipGuide.com September 9, 2012 / Reply
[...] ที่มา – Sam Granger [...]
WhatsApp security … Argh!!! » Moritz online September 9, 2012 / Reply
[...] hack into other people’s accounts. Now, a few weeks later, one of my colleagues sends me this article by Sam Granger and I’m seriously shocked. We also talked about that exact scenario but I [...]
Sms gratis e privacy: Whatsapp genera password dall’IMEI del cellulare, è a rischio attacco hacker | informatica e tecnologia September 9, 2012 / Reply
[...] notizia: http://samgranger.com/whatsapp-is-using-imei-numbers-as-passwords/ [...]
WhatsApp รุ่นใหม่เข้ารหัสแล้ว แต่ใช้เลข IMEI เป็นรหัสผ่าน | Magento-Thailand.com | Magento, รับทำเว็บไซต์ Magento, รับทำเว็บไ September 9, 2012 / Reply
[...] ที่มา – Sam Granger [...]
WhatsApp รุ่นใหม่เข้ารหัสแล้ว แต่ใช้เลข IMEI เป็นรหัสผ่าน » ปิ๊งไอเดีย | ปิ๊งไอเดีย September 9, 2012 / Reply
[...] ที่มา – Sam Granger [...]
WhatsApp รุ่นใหม่เข้ารหัสแล้ว แต่ใช้เลข IMEI เป็นรหัสผ่าน | ไอปายอินไทย เว็บบล็อก สบายๆ แหล่งรวมควา September 10, 2012 / Reply
[...] ที่มา - Sam Granger [...]
WhatsApp uses IMEI numbers as passwords. September 10, 2012 / Reply
[...] uses IMEI numbers as passwords. Hi, I stumbled upon this article which states that WhatsApp messenger is very insecure because of using IMEI numbers as passwords. [...]
Kurz erklärt: Wie die WhatsApp missbraucht werden kann September 10, 2012 / Reply
[...] Anmeldung auf eine verschlüsselte Authentifizierung umgestellt. Wie jetzt im Blog von Sam Granger veröffentlicht wurde, ist die aber so simpel gestrickt, dass man unter Android sehr leicht in ein fremdes Konto [...]
WhatsApp Messenger for WebOS – Petition – Page 15 – webOS Nation Forums September 10, 2012 / Reply
[...] Sam Granger | WhatsApp is using IMEI numbers as passwords A blog post about the login authentication of WhatsApp on anything other than iPhone. Seems the method has changed now, but this post will probably be updated. Makes for a good read in any case. [...]
Whatsapp-Verschlüsselung ist leicht zu knacken September 10, 2012 / Reply
[...] dadurch sicherer werden würde, hat sich jedoch vermutlich getäuscht. Wie man in dem Blog von Sam Granger lesen kann, ist zumindest die Android-Version des Messengers ohne größere [...]
WhatsAppkann trotz neuer Verschlüsselung missbraucht werden | Klaus Ahrens: News, Tipps, Tricks und Fotos September 10, 2012 / Reply
[...] vor kurzer Zeit seine Anmeldung auf eine verschlüsselte Anmeldung umgestellt. Sam Granger veröffentlicht jetzt in seinem Blog, dass dieso simpel gestrickt ist, dass Android-Benutzer sehr leicht in fremde [...]
WhatsApp gebruikt IMEI-nummer als wachtwoord | Welke toekomst is voor ons weggelegd? September 10, 2012 / Reply
[...] zo heeft een beveiligingsonderzoeker ontdekt. De populaire berichtendienst gebruikt volgens Sam Granger het omgedraaide IMEI-nummer van de telefoon voor authenticatie, waarover een MD5-hash zonder salt [...]
Tu contraseña de WhatsApp es tu IMEI | Diego Capapé September 10, 2012 / Reply
[...] pueden obtener el IMEI y número de teléfono y enviarlo silenciosamente a un servidor remoto.samgranger.com/whatsapp-is-using-imei-nu … s-passwords/ TechnoActualidadTwitterDiggFacebookDeliciousStumbleUpon Este artículo fue publicado por dcapape el [...]
WhatsApp macht sich Authentifizierung leicht | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen September 10, 2012 / Reply
[...] vor kurzem hat der beliebte SMS-Konkurrent WhatsApp eine Verschlüsselung eingeführt. Jetzt berichtete der britische Webentwickler Sam Granger, wie die Authentifizierung bei dem Webfrontend des Dienstes [...]
WhatsApp voert authentificatie makkelijk uit | c't Magazine voor computertechniek September 10, 2012 / Reply
[...] WhatsApp voerde eind augustus versleuteling in. De Britse webontwikkelaar Sam Granger geeft nu uitleg over de manier waarop de authentificatie onder Android bij het webfront-end verloopt: de applicatie [...]
Liquidmatrix Security Digest Podcast – Episode E – Liquidmatrix Security Digest | Liquidmatrix Security Digest September 10, 2012 / Reply
[...] Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop Or was it 12 million? …or not? and some apps use IMEI as password! [...]
ثغرة في برنامج الوتس أب تمكن أي شخص من إرسال رسالة بإسمك September 10, 2012 / Reply
[...] كثرت المواضيع مؤخراً حول أمن البرنامج الشهير WhatsApp. قام شخص يدعى Sam Granger بالبحث والتقصي في طريقة عمل ال WhatsApp ووجد أن التطبيق يستخدم رقم IMEI الخاص بالهاتف كرقم سري، ورقم الهاتف كإسم مستخدم مما يعني أن أي شخص يستطيع الحصول على هذه الأرقام سيتمكن من إرسال رسائل بإسمك على البرنامج. WhatsApp is using IMEI numbers for account passwords.. #fail samgranger.com/whatsapp-is-us… [...]
Herzlich Willkommen &raquo WhatsApp macht sich Authentifizierung leicht September 10, 2012 / Reply
[...] vor kurzem hat der beliebte SMS-Konkurrent WhatsApp eine Verschlüsselung eingeführt. Jetzt berichtete der britische Webentwickler Sam Granger, wie die Authentifizierung bei dem Webfrontend des Dienstes [...]
Another WhatsApp Vulnerability Leaked: IMEI Number As Password – Dailyjag September 11, 2012 / Reply
[...] that there may be a hacker on the other end. WhatsApp is far from secure right now.Source: SamGranger.com/**/0Digg Diggvar dd_offset_from_content=40;var [...]
Ezio Amodio September 11, 2012 / Reply
Hi,
About iOS password generation take a look here
http://www.ezioamodio.it/?p=29
WhatsApp, Blinkist, Playboy. — mobilbranche.de September 11, 2012 / Reply
[...] Der Anbieter hat sich hierzu auf Nachfrage laut “mobiwatch” noch nicht geäußert. samgranger.com, [...]
mobile zeitgeist- Topnews: iPhone 5 zeigt sich morgen, Patentkläger warten schon. September 11, 2012 / Reply
[...] Der Anbieter hat sich hierzu auf Nachfrage laut “mobiwatch” noch nicht geäußert. samgranger.com, [...]
Ancora problemi di sicurezza per WhatsApp – Gizmodo IT – Il gadget weblog September 11, 2012 / Reply
[...] L’allarme è stato lanciato nel blog di Sam Granger. [...]
WhatsApp erneut mit Sicherheitsproblemen konfrontiert September 11, 2012 / Reply
[...] WhatsApp hat auf eine Anfrage von mobiwatch hin bis dato noch keine Stellungnahme abgegeben. samgranger.com via androidnext.de jQuery(document).ready(function(){ [...]
Qualche problema di sicurezza per WhatsApp September 11, 2012 / Reply
[...] Fonte: Samgranger.com [...]
Report: WhatsApp Nowhere Near As Secure As You’d Think « Money & Business September 11, 2012 / Reply
[...] his blog British web developer Sam Granger writes that any relatively ambitious hacker could get into WhatsApp accounts without a problem, [...]
2251 Wall St » Report: WhatsApp Nowhere Near As Secure As You'd Think September 11, 2012 / Reply
[...] his blog British web developer Sam Granger writes that any relatively ambitious hacker could get into WhatsApp accounts without a problem, [...]
WhatsApp – Für Firmen unsicher mit inakzeptablen Nutzungsbedingungen › Mobile Device Management (MDM) und viel mehr – Pretioso Blog September 11, 2012 / Reply
[...] Android-Entwickler Sam Granger hat in seinem Beitrag WhatsApp is using IMEI numbers as passwords eine neue Sicherheitslücke in WhatsApp aufgedeckt, für iOS hat diese Ezio Amodio [...]
Whatsapp – iOS password generation | Ezio Amodio September 12, 2012 / Reply
[...] few days ago the Android developer Sam Granger published an article explaining how the log-in process works on WhatsApp for Android. In his [...]
Whatsapp unsicher – Authentifizierungs-Lücke • Kuketz IT-Security Blog September 12, 2012 / Reply
[...] Thema kein Ende zu nehmen. Vor wenigen Tagen hatte der britische Entwickler Sam Granger in einem Blog-Post erläutert, wie Whatsapp auf die IMEI Nummer zurückgreift, um ein Passwort zu generieren. Dieses [...]
WhatsApp is WhatSucks « Subversive Bytes September 12, 2012 / Reply
[...] has been reported by Sam Granger that WhatsApp on Android uses your phone EMEI to generate its [...]
WhatsApp op iPhone eenvoudig af te luisteren via MAC-adres – iPhoneclub.nl September 12, 2012 / Reply
[...] IMEI-nummer van gebruikers als wachtwoord, zo valt op github te lezen. Beveiligingsonderzoeker Sam Granger vermoedde dat het probleem ook op andere platformen speelt. Bij iOS leek er aanvankelijk geen [...]
Whats App endlich sicher? Konsequent geht anders! | SicherDeinWeb September 12, 2012 / Reply
[...] es doch auch ein Passwort geben, könnte man meinen. Und tatsächlich: Hier fand der Webentwickler Sam Granger heraus, dass ein existierendes Passwort aus einem einfachen und als unsicher geltenden MD5-Hash der [...]
Whatsapp unsicher – Authentifizierungs-Lücke « Scheibenkleister September 13, 2012 / Reply
[...] Thema kein Ende zu nehmen. Vor wenigen Tagen hatte der britische Entwickler Sam Granger in einem Blog-Post erläutert, wie Whatsapp auf die IMEI Nummer zurückgreift, um ein Passwort zu generieren. Dieses [...]
WhatsApp, FaceBook, Twitter, FirstLoad… – nein Danke! « Scheibenkleister September 13, 2012 / Reply
[...] Android-Entwickler Sam Granger hat in seinem Beitrag WhatsApp is using IMEI numbers as passwords eine neue Sicherheitslücke in WhatsApp aufgedeckt, für iOS hat diese Ezio Amodio [...]
Nieuw lek in WhatsApp ontdekt « PcDienst September 14, 2012 / Reply
[...] Er is een nieuw beveiligingslek in WhatsApp ontdekt die gebruikers niet alleen in staat stelt om op eenvoudige wijze berichten te onderscheppen, maar ook om berichten uit naam van iemand anders te sturen. Dit probleem doet zich zowel bij de iPhone als Android versies van WhatsApp voor. Op dit moment is er nog geen oplossing voorhanden. Sam Granger geeft een uitgebreide beschrijving van dit probleem op zijn blog. [...]
How to Hack WhatsApp Messenger | Build WhatsApp API Client September 14, 2012 / Reply
[...] On Android, the password is a md5 hash of the reversed IMEI number: [...]
Mobile chat app used by activists has security flaws, say critics | Partners In Sublime September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Chat app used by activists has security flaws, say critics « GuruSpot: Gadget September 15, 2012 / Reply
[...] a topsy-turvy IMEI (International Mobile Equipment Identity) used to brand a device, according to a blog post from Android developer Sam Granger final week. He lists opposite ways an assailant competence get a [...]
Chat app used by activists has security flaws, say critics | Security Digest September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the IMEI. That was followed by a blog [...]
Chat app used by activists has security flaws say critics | HaLaPicHaLaPic September 15, 2012 / Reply
[...] a topsy-turvy IMEI (International Mobile Equipment Identity) used to brand a device, according to a blog post from Android developer Sam Granger final week. He lists opposite ways an assailant competence get a [...]
Chat app used by activists has security flaws, say critics | Brian L. Fontenot's Blog and Inspiration Site September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Chat app used by activists has security flaws, say critics | WestPenn Journal September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Privacy + Anonymity » WhatsApp Chat Application Insecure and Vulnerable To Simple Eavesdropping September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Chat app used by activists has security flaws, say critics | Partners In Sublime September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Quora September 15, 2012 / Reply
How secure is WhatsApp? What does the company have to say about the recent security flaws pointed out in their app?…

http://samgranger.com/whatsapp-is-using-imei-numbers-as-passwords/ and http://fileperms.org/whatsapp-is-broken-really-broken/…
Chat app used by activists has security flaws, say critics | iPhone Developers September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Chat app used by activists has security flaws, say critics | Android Developers September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
WhatsApp ist für'n Arsch ("heute Hacken wir WhatsApp über die WhatsApp API") – Franky September 15, 2012 / Reply
[...] Die Klient-Authentifizierung WhatsApp’s ist ein Disaster. Unter Android ist das Passwort ein einfacher Hash der umgedrehten IMEI-Nummer: [...]
Protokoll vom 15. September 2012beiTrackback September 15, 2012 / Reply
[...] unsicher Nachrichten schreiben mit Whatsapp [...]
Chat app used by activists has security flaws, say critics | N.C.I.O. September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
Chat app used by activists has security flaws, say critics | Social Media, Gadget and Tech Tips and Guide September 15, 2012 / Reply
[...] reversed IMEI (International Mobile Equipment Identity) used to identify the device, according to a blog post from Android developer Sam Granger last week. He lists different ways an attacker might get the [...]
WHATSAPP a Free Messaging services puts user at risk | Telecoupdates September 16, 2012 / Reply
[...] as failure-resistant as one would expect from a market leader. In his blog British web developer Sam Granger writes that any relatively ambitious hacker could get into WhatsApp accounts without a problem, [...]
Viber September 16, 2012 / Reply
Viber next?
WhatsApp: Motivos para não utilizar. | Blog do Renê Barbosa September 16, 2012 / Reply
[...] Em dispositivos Android, a senha do aplicativo é um hash MD5 do número IMEI ao contrário, já nos dispositivos iOS , a senha do aplicativo é um hash MD5 do resultado da concatenação do [...]
Seguridad usando Whatsapp: Lo estás haciendo mal | ResumenTecnologico.com September 17, 2012 / Reply
[...] conectarse en tu nombre: sólo hace falta que el interesado conozca tu número de teléfono, y tu IMEI en el caso de Android, o tu dirección MAC en el caso de [...]
Desarrollos RPM | Seguridad usando Whatsapp: Lo estás haciendo mal September 17, 2012 / Reply
[...] tu nombre: sólo hace falta que el interesado conozca tu número de teléfono, y tu IMEI en el caso de Android, o tu dirección MAC en el caso de [...]
Enorme Sicherheitslücke bei WhatsApp (Video) | Henning Tillmann September 17, 2012 / Reply
[...] WhatsApp is using IMEI numbers as passwords (Sam Granger) [...]
Seguridad usando Whatsapp: Lo estás haciendo mal | Blog Enfundate September 17, 2012 / Reply
[...] conectarse en tu nombre: sólo hace falta que el interesado conozca tu número de teléfono, y tu IMEI en el caso de Android, o tu dirección MAC en el caso de [...]
WhatsApp: Spam, inundación y robo de cuentas | Desgobierno de Chile September 18, 2012 / Reply
[...] se ha hecho popular hace unas semanas (el día 5 de septiembre) a raíz de una entrada de Sam Granger, pero realmente era algo bien conocido desde febrero. A partir de aquí decenas de usuarios [...]
[AGGIORNATO] WhatsApp Hacked – Impersoniamo un'altra persona | Over Security September 18, 2012 / Reply
[...] risolto il problema della memorizzazione in chiaro delle conversazioni un ricercatore Tedesco Sam Granger ha individuato una nuova vulnerabilità ancor più [...]
[Offizielle App] WhatsApp Seite 127 – Windows Phone 7 Apps – Windows Phone Forum September 19, 2012 / Reply
[...] [...]
TechMind #1: Whatsapp sotto attacco | EasyPodcast September 21, 2012 / Reply
[...] WhatsApp is using IMEI numbers as passwords [...]
WhatsApp takes the lazy route to authentication | Now Intruder is everywhere stealing your data. That's why We are here, to Secure IT! September 22, 2012 / Reply
[...] to texting, has only recently introduced encryption. UK web developer Sam Granger has now posted information on how the app authenticates with the web interface under Android. The program generates a key by [...]
Winston Smith September 26, 2012 / Reply
Yo, I finally took the time and summarized everything related to WhatsApp security in a small blog post, and I tried to formulate it as easy as possible – if you don’t agree or find some misinformation, just comment!

Whats Up With WhatsApp? A Summary Of The Recent Security Flaws For The Ignorant User
WhatsApp troppo poco protetta – appK – le migliori app iPhone, iPad e iPod touch January 29, 2013 / Reply
[...] non sembrerebbe essere poi così protetta: la denuncia arriva da alcuni hacker, in particolare da Sam Granger: l’applicazione userebbe i numeri di telefono come nome utente ed i codici IMEI come password [...]
danny February 10, 2013 / Reply
hi,
somebody stole my friend iemi number and they have sent a vulgar messages to other numbers . A complaint have been registered against my friend , I would appreciate the help.
thank you.

Sam Granger

Webdeveloper & Entrepreneur

WhatsApp is using IMEI numbers as passwords

58 Responses.

84 Trackbacks

Leave a Comment? Cancel