It seems that WhatsApp is full of vulnerabilities. Last year in May, it was revealed to the world that WhatsApp accounts could be hijacked without the user knowing it. This year in January, we came to know that the status of a WhatsApp user could be changed remotely. It was found in May 2011 that WhatsApp sends communication in plaintext and was fixed a year later in May this year. It hasn’t been a long time since these vulnerabilities were fixed. Now there’s a new vulnerability to make both WhatsApp and its users to worry about.
According to the Wikipedia page for WhatsApp,
WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP).Upon installation, it creates a user account using one’s phone number as username (Jabber ID:
[phone number]@s.whatsapp.net) and an MD5-hashed, reversed-version of the phone’s IMEI as password.
And really, WhatsApp uses exactly the same procedure mentioned above without any variation. Neither there is any salting of the hash nor obfuscated MD5 variant. For example, on Android platform you can find any WhatsApp password using IMEI number with a single line of code given below:
Finding the username is even more simpler. Your phone number is your username!
There are multiple ways through which one can find someone’s IMEI number:
- Through direct access to the victims phone. Jost dial & call *#06# (in most cases) and you’ll get the IMEI number.
- An app that silently sends the victims IMEI number to a server in the background (many applications do this already) & phone number, either by letting users fill it in themselves in a registration part of the app, or also silently (this method however isn’t always airtight but works in a lot of cases).
- A hacker leaks a database/file with IMEI numbers with associated phone numbers.
- A spammer buys this information from an app developer.
SAMPLE ANDROID CODE:
To retrieve IMEI number:
TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
String device_id = tm.getDeviceId();
To retrieve phone number:
TelephonyManager tMgr =(TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);
mPhoneNumber = tMgr.getLine1Number();
To retrieve voicemail number (just for fun):
By implementing this code you can tap anybody’s WhatsApp messages. You can hack anybody’s WhatsApp account with just their IMEI numbers.
This vulnerability can leak user’s sensitive data and messages. Or it is possible that it may already have been happening with users or maybe with you!
So next time think twice before sending any sensitive information or receiving any message over WhatsApp because you never know where is it going or from where is it coming. It may be possible that there may be a hacker on the other end. WhatsApp is far from secure right now.