Is Facebook doing something similar on Android? I have left an application update pending for weeks because Facebook requires access to Phone Calls, which allows the application to "determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like."
This does not sit well with me.
As for Facebook, I am using Tinfoil for Facebook app (It is a website wrapper, essentially). It was faster than whatever app Facebook managed to write.
And Tinfoil is better integrated with the Android system than the official Facebook app. Click a Facebook link in an app or browser - you'll get Tinfoil as an option to view the link but not the official app.
As you point out, this is almost certainly an Android specific implementation, because there's no way to get either the MSISDN or the IMEI through iOS using the public API (if it was to transpire that WhatsApp were using private calls to obtain them then that would be another story entirely).
I do not see anything wrong with using IMEI as a seed for a password generation, the problem is that this number should be encrypted using proper encryption method and not just transformed using MD5 hash function.
Another piece of evidence for this is an article published on a website I found while searching for the API endpoints that WhatsApp is connecting to; this person pulled apart the Android client.
In this article there are a few API calls that are discussed, including v1/exist.php and v1/code.php: the former takes an argument sim=MSISDN and the latter takes both sim=MSISDN and imsi=IMSI.
However, on my device (iOS), all of the other fields are being sent (including the MCC and MNC, which you can apparently get using the public CTCallCenter API) except those sim and imsi fields.
(Note: the actual service seems to run over XMPP, and I did not bother figuring out how I'd man-in-the-middle that to figure out my password, so maybe they do something really sneaky at a later step.)
From the article:
" likely to be an inverse of your phones IMEI number with an MD5 encryption thrown on top"
MD5 is a digest...not encryption
It's intended to be unique but not secret and not hard to guess. It's a bit like your SSN or a computer's MAC address.
> If someone knows your IMEI they most likely have enough control over the phone to either completely spoof it or put malicious software on it
Err, no? Your phone can be asked to broadcast it via radio, your
phones previous owner / sales clerk knows it, etc,
your wife/gf knows it, etc. Now it's trivial for
any of those to gain access to your WhatsApp without
any active and sophisticated attack requiring physical access.
Sure, with sufficient effort it might be possible for
someone sniffing radio or having at some point handled your phone to subvert it in other ways, but this is zero effort.
- it's free (or inexpensive compared to international SMS)
- it doesn't require any technical expertise whatsoever
- it's cross platform
- it already has traction
I can't think of any alternative which has this combination of properties..
It has come to the point that my wife and I barely use SMS anymore and are actually saving some play money on SMS thanks to that thing.
And that is bad news for carriers worldwide yes, but not that anyone really feels pity for them anyway.
This situation resembles the early period of the Internet, when users of Compuserve couldn't send e-mails to users of AOL (and other way around). It sounds completely weird today, but how is this situation with IM networks different?
Understandably there are historic isolated networks (AOL, MSN etc.) which predate any serious federation efforts, and even they are slowly enabling XMPP in some ways. But creating new closed ones in the present time is just weird and only serves to make the situation worse.
For example, if I'm going to go on a date with someone and we've swapped numbers that's enough for us to talk by SMS/iMessage/WhatsApp, whilst we probably don't know each other well enough yet to expose our digital lives to each other on Facebook.
 - This entirely depends on things like age, social norms, how much personal information is on your Facebook page etc. Also, depending on are you going on a date with someone you already know vs. someone new. Mostly the point being that anything that just needs a phone number has a low barrier to communication while also not leaking any personal information (other than your phone number).
I know it was used as a precursor to iMessage type eaperince to send 'texts' and images using only data, so was perfect for communicating across countries with no carrier charges.
Phone numbers are logins. Everybody with a phone already has one, so they don't have to do the whole 'create/verify an ID/password' dance.
If you have friends in other countries, this avoids roaming SMS charges. And if you are from Ireland, or Greece, lots of your friends are in other countries.
Yes, that's exactly the catch. Why should you require them to install anoter app if they might already use some other IM network? Approach of WhatsApp may be simplifies the initial registration step, but it adds to the global mess of the non interoperable IM networks. Negative impact way outweighs any potential comfort benefits, and authors who promote such things are to be blamed for it.
> Everybody with a phone already has one, so they don't have to do the whole 'create/verify an ID/password' dance
Actually you might want to do it, since numbers change, while IDs don't. Plus you want to authenticate the other party if for example you need a secure conversation (such as with OTR).
One time configuration / registration is not really a burden. All users are familial with that process. And they don't do it each time they read their e-mail for example. As I said, the negative impact of non interoperability proliferation is way more significant.
How does OP know this? Was there a leak of "passwords" or did he find this through trial & error?
Edit: Just found out that's what it says even on the Wikipedia entry about WhatsApp.
Every method on your website to “exploit” this is retrieving IMEI number through alternative ways which would mean the phone would be compromised anyway...If someone can compromise the phone who cares about this?
Maybe whatsapp can be accessed more easily but isn't that moot if you already have phone access..If you have phone access already why would an attacker care about whatsapp?
Whatsapp is not necessarily insecure based on this..You are giving whatsapp bad publicity for no reason
I don't even think it's a design flaw that they used that as the password because if someone has phone access, and/or access to their number already then they are probably screwed anyway
please correct me if I'm missing the actual vuln here..
No, since it's not a secret. Why would outing your IMEI spell large issues?
So maybe we have a double-edged sword here. If you want to be able to authenticate you have to give some company the ability to track you and monitor all your activity (which they will try to "monetize"). It sounds sort of tinfoil hat but this is what we are facing.
The reason: We insist on using the web and other "client-server" approaches for almost everything we do using the internet, instead of considering end-to-end, peer-to-peer approaches. Things are so insecure when everyting goes (mostly) unencrypted over the open web via middleman (Facebook servers, Gmail servers, etc.) that we need to try things like "two-factor authentication".
And as for the "security problem", if someone has access to your phone they can just maliciously use the app itself. I'm not saying that this should just be ignored, but in this specific case the author had probably created the bigger part of the security threat by publishing the article.
Many many apps have permissions to read the IMEI. Just as many have access to the internet. Add whatever permission is needed to find out the device's phone number and you have all you need.
And again, if an app had fooled a user for permissions to get their phone number they could probably just ask for permissions to send and receive SMS's -- which is what some banks (at least here, in Israel) use to verify online accounts.
The fact that their API uses the IMEI is not great but relatively low risk.
Wait until their servers get hacked and that list of how-many-million pairs of phone/imei numbers gets released.
Setups like this are time bombs.
1) I edited the default wordpress post, dated from May
2) I set the time for the future without noticing (wrong timezone!!)
Does anyone know any other neat tricks like this?
There are additionally model specific codes for hardware diagnostics (rather than interacting with the network) on a model-by-model basis.
*#1345# - gives you your credit balance if you're on a prepaid account
*#100# - your phone number
*#101# - the current network date and time
*#[102-105]# - various network engineering information that I can't understand.
On iPhones, try 3001#12345# .
On Android it often depends on the specific model you have. Here are some for the Samsung S3:
#06# Show IMEI number
#0# LCD Test Menu
##4636##* user statistics and Phone Info
#0011# Displays status information for the GSM
#1234# View SW Version PDA, CSC, MODEM
#12580369# SW & HW Info
#197328640# Service Mode
#32489# (Ciphering Info)
#232337# Bluetooth Address
#232331# Bluetooth Test Mode
#232338# WLAN MAC Address
#232339# WLAN Test Mode
#0842# Vibra Motor Test Mode
#0782# Real Time Clock Test
#0673# Audio Test Mode
#0# General Test Mode
#2263# RF Band Selection
#872564# USB Logging Control
#4238378# GCF Configuration
#0283# Audio Loopback Control
#1575# GPS Control Menu
#3214789650# LBS Test Mode
#44336# Sofware Version Info
#7780# Factory Reset
27673855# Full Factory Reset
#0289# Melody Test Mode
#2663# TSP / TSK firmware update
#03# NAND Flash S/N
#0589# Light Sensor Test Mode
#0588# Proximity Sensor Test
#3282727336# Data Usage Status
#7594# Remap Shutdown to End Call TSK
#34971539# Camera Firmware
#528# WLAN Engineering Mode
#7412365# Camera Firmware Menu
#07# Test History
#3214789# GCF Mode Status
#272886# Auto Answer Selection
#8736364# OTA Update Menu
#301279# HSDPA/HSUPA Control Menu
#7353# Quick Test Menu
27674387264636# Sellout SMS / PCODE view
#7465625# View Phone Lock Status
7465625638# Configure Network Lock MCC/MNC
#7465625638# Insert Network Lock Keycode
##7780##* Factory data reset - Clears Google-account data, system and program settings and installed programs. system will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos)
This seems a bit dangerous. Does it require any kind of password?
EDIT: I see now it was stated these are SIII specific. Guess that explains why nothing happened for me.