
WhatsApp Hack - wajdis
http://198.61.222.60/
======
JoeCortopassi
Am I missing something? "Give me your number and password, and I'll show you
that WhatsApp is insecure". Really?

There is definitely a place to out a company that fails to secure things
consistently, but asking for credentials in this way absolutely wrecks your
credibility to anyone but the most trusting of people that already knows you.
_No one should input anything into this form, even if it's credible._ To do
so, is assuming that it is not being stored in any way (unprovable), and that
it is following security best practices (on a site that's not even operating
on a secure connection). I'm sure you are a standup guy, but I hope we never
get complacent with blindly accepting "hack checkers" like the ones that
popped up around other notable hacks recently

~~~
wajdis
It's so easy to get the password. Anyone with you on the same WIFI can get
your WIFI Mac address about passwords:
[https://plus.google.com/109599361571767865655/posts/5ijzy29i...](https://plus.google.com/109599361571767865655/posts/5ijzy29iaNn)

~~~
taylorbuley
FTP. AIM. These are equally if not more insecure for the same reasons. Not to
mention that if you're on my network a "Whatapp" account is the least of my
concerns.

~~~
mirashii
No, they're not.

1) Your mac address is available to even passive sniffers without the key to
an encrypted network. In some circumstances you don't even need to be
connected to a network to grab someone's mac address (iPhones in particular
love looking for networks loudly).

2) FTP and AIM passwords can be changed. Yes, a passive sniffer on the same
network can still get them, but this is a significantly harder task than
getting someone's mac address, and there's no way to change the goal.

3) Brute force attacks become within the realm of possibility. Have someone
you know has an iPhone 5 and uses WhatsApp? The first chunk of the mac address
is assigned by vendor, so you've already narrowed the search space down
drastically by half to needing to guess 6 hex digits.

------
lawnchair_larry
I see what you are trying to do, but I think it would work better if you
requested the MAC address instead of the password. The way it's written now,
it looks like you're asking for the password.

I support this though, because WhatsApp has known about this for a couple
years now and refuse to do anything about it.

The short version is, anyone can steal your messages if they have your mac
address. Anyone on the same network as you, or within wifi range -- even if
not connected to a wifi network, but with the radio on -- has your mac
address. And you can never change it, so once someone snarfs it once, they get
your account for life.

Edit: From the README on the GitHub page:

 _Password Overview

    
    
        Android: MD5 hash of reversed IMEI (Credit: WhatsAPI Original Authors)
        iOS: MD5 hash of the MAC address repeated twice (Credit: Ezio Amodio)
        Windows Phone: MD5 hash of reversed DeviceUniqueId (Credit: Robe Fernández)*

~~~
0x0
I had the impression that iOS apps that use any API to retrieve the MAC
address is banned from the store, similar to the way calls to retrieve the
UDID are.

Maybe they are grandfathered in? Would they be banned if they pushed an
update? Are Apple afraid of kicking out an iMessage competitor?

------
RyanZAG
There is no real way WhatsApp can fix this problem without large consumer
backlash from existing customers. The reason WhatsApp took off is because 'it
just works' without requiring creating accounts and other nastyness.

You just install it, whack in your phone number, and off it goes. Swap to a
new phone? Whack in your phone number, and you're back on your account.

This is why WhatsApp has beaten out the competition (along with good marketing
in airports, etc) - and there is A LOT of competition. By fixing this 'flaw',
WhatsApp will fail. The best they could do is offer an 'advanced security'
option for uses who want more secure communication, but the default insecurity
will have to stay.

TLDR: Insecurity is the very bedrock of WhatsApp's popularity. It cannot be
'fixed' at this point.

~~~
dutchbrit
Of course they can! Just force people to add an additional password to their
account on the next app update.

~~~
RyanZAG
People will get confused, forget their passwords, and swap to a new insecure
system.

------
zhuzhuor
OK... I assume it's not a phishing site, which requires your phone number and
password...

~~~
wajdis
I don't store anything.

~~~
ipince
Hopefully you don't :-) still, it would be pretty unwise for people to input
their credentials there.

Instead, just put the code up on github and link to it. The curious but
cautious people would be able to verify the hack then

------
dutchbrit
I wrote a bit more in detail about this a while back:
[http://samgranger.com/whatsapp-is-using-imei-numbers-as-
pass...](http://samgranger.com/whatsapp-is-using-imei-numbers-as-passwords/)

Whatsapp, if you are listening, do the following.. Add an extra column to your
database table where user 'credentials' are saved. Lets call it 'password'. Or
call it realpassword if you're using password for the md5'ed IMEI/MAC. Now,
leave it empty for a moment..

On your next client update, force your users to fill in a password. Don't save
it plaintext mmkay, drop a whole pot of salt all over it and save it in the
password column. If user has a known password, check if their client sent the
correct one.

You can still check IMEI or MAC address too if you want, but only as an extra
'check' to verify user is logging in from their mobile and not some fishy
desktop client. Again, the latter isn't secure but is meant as a fallback.

------
danso
Instead of just saying "click here to see all the articles about this security
hole" it would go a long way to provide a concise synopsis for those of us who
don't use whatsapp but are still interested in understanding your approach

------
hrrsn
WhatsApp was never designed with security as a priority. I remember a couple
of years ago after it took off investigating it with a packetsniffer when I
noticed the phone number verification text let you in the second you finished
typing the PIN. I recall either the server was sending the PIN to the device
or the device was telling the server what PIN to send in the text.
Ridiculously easy to impersonate anyone at that point. Last I checked they had
fixed that hole but I'm not surprised others have popped up.

------
ipince
Can you clarify what each input means? When the help text for the "name" field
of a form says "the name you'd like to use".. well, it's not very helpful.
Thanks :-)

~~~
wajdis
Thanks for the note, It's the name that show in Push notifications on iOS and
Windows devices.

------
Zor
I am getting "Wrong password" trying with my own phone (iphone 4), using my
wifi mac address (all caps, with :)

~~~
Zor
My number is not from the US. Maybe you are creating the JID using the US
country code + the phone number field instead of using the full number field?

~~~
wajdis
No, simple enter your number without + and the mac address once with the two
points, just like XX:XX:XX:XX:XX:XX

~~~
Zor
Tried again here, not working. Do you know if it is possible to sniff the
iphone connection and get the md5? I have generated the hash from the
duplicated mac and want to check that it is identical.

~~~
Zor
The password algorithm changed in the lasts versions of Whatsapp, at least in
iPhone. You can get a Base64 of the md5 from the application directory, but it
doesn't match the imei or mac md5. I am trying to break mine with hashcat to
see what kind of pattern it follows.

~~~
wajdis
I guess you are trying to do the MD5 yourself, while you should simply just
enter the mac address with the : . The script will automatically generate the
hash for u.

------
a_rahmanshah
How can I get the MAC address for iPhone? I found one, but it is separated
with `-` and not with `:`.

~~~
hrrsn
Settings -> General -> About -> "WiFi Address"

------
Zor
iPhone Mac address "Wrong Password" explained:
<https://github.com/venomous0x/WhatsAPI/issues/192>

------
yogeshkhatri
so if someone has my IMEI, can i save my account from him as i can't change my
password(IMEI)

~~~
dutchbrit
No, you'd be screwed. The password is technically an inverse of your imei with
a md5 encryption on top (Android).

