

Whatsapp security hole allows changing status message of other users - sssparkkk
http://whatsappstatus.net/

======
alex1
The site says the hole has been patched but I was just able to change my own
status with this:

    
    
      curl -A "WhatsApp/2.6.7 iPhone_OS/5.0.1 Device/iPhone_4" --header "Accept-Language: en-us" --header "Accept-Encoding: gzip, deflate" --header "Connection: keep-alive" -d "cc=1&me=%2B1{10_DIGIT_NUMBER}&s={URL_ENCODED_STATUS}" https://s.whatsapp.net/client/iphone/u.php
    

It did take some time to show up under my name, even after restarting the app.

------
chintan100
Did anybody have any success with changing someone else's status with this? If
so, please post.

I got the success message on site and restarted the app too on iPhone by
killing it from the multitasking bar but my friend's status is still
unchanged.

Makes me doubt it is a fraud site as BuddhaSource mentioned.

------
sssparkkk
Some more information about this can be found here:
[http://packetstormsecurity.org/files/108010/SA-20111219-1.tx...](http://packetstormsecurity.org/files/108010/SA-20111219-1.txt)

~~~
yread
Wow it seems there is no security at all:

> By providing any WhatsApp registered telephone number and the text for the
> status update, it is possible to change a user's status. This action does
> not require any prior authentication or authorization

> (on registration) The vendor has implemented bruteforce protection by
> locking a number after 10 tries. This step makes a successful attack on a
> specific number unlikely but an attacker bruteforcing X00 numbers can still
> guess X number(s) on average.

> As published in the past several times already the XMPP traffic from
> WhatsApp is not encrypted.

And they are planning to charge money for it?

edit: perhaps even worse is their response to the security vulnerability seen
in the timeline - they knew about the bug since 09-14

------
fredley
As a frequent WhatsApp user, I must say I find this more amusing than
anything. I've never really understood what the status feature is for anyway.

~~~
ch0wn
As a frequent WhatsApp user I don't find this amusing at all. If this is how
the engineers handle security issues, it might be time to convince my friends
to switch to another messenger. It's not like there was no competition in that
field.

~~~
mike-cardwell
Kik Messenger seems to have been doing very well recently.

~~~
982n389
Do you know if this can be used with Jabber and if the messages are sent on an
encrypted connection to the server?

If not, any good apps that do for Iphone or Blackberry?

~~~
mseebach
I played a little with reverse engineering Kik a while ago. I'm not sure about
the messages, but I was able to siphon off the plaintext password using ngrep.
It's XMPP, btw.

~~~
mike-cardwell
When they originally launched, they were not using SSL, and were using plain
text authentication. Since then, they changed the authentication so it
wouldn't be sent in plain text. Then they later added SSL. Then in the middle
of last year, they updated their SSL setup so it actually did certificate
verification.

It took them a while to get there, but it's secure now.

------
steipete
It's not changing status anymore, did they already block the site's IP?

------
BuddhaSource
Is this a Fraud site? Not working for me.

~~~
gglanzani
Ain't working for me either, but I've read report of people who were able to
to that.

Too bad :)

------
richardburton
I could not change mine. If the leak is plugged would you be willing to
explain where the hole is?

------
jaipilot747
What would the legal liabilities of this site be?

------
dopp
dumb question - how exactly can I try this? I went to the site, but didn't
find relevant information.

------
thelicx
Not working for me.

------
beerglass
Ridiculous!

------
startupcto
There's a few ways that they can patch this. I'm assuming that there's some
sort of auth process in place for their http calls and this could simply be a
case where this particular endpoint missed the auth.

Or they're simply blocking the whatsappstatus's ip and a fix would actually
require both client side and server side changes.

But honestly its just a messaging app and how many people really cares if
"let's go grab a beer" is encrypted or not.

