We recently saw the 1 million unique Apple device IDs leak, and now there is a vulnerability in the Android version of the popular Cross-platform Messaging system, Whatsapp.
Whatsapp recently hit, the record of 10 billion messages sent and received per day, just imagine the popularity, but this has a bad side to it, the popularity makes it the prime target for hackers.
We’ve seen news About Whatsapp can be hackable via Wi-Fi but that not being its own vulnerability but the Wi-Fi protocol being the problem and some more.
Sam Granger, one of the hack found that, If you installed WhatsApp on an Android uses Your phone number as the username and IMEI (inverted and MD5 hashed) as your password.
Did you know how long does that take t0 code?
Here you go md5(strrev(‘your-imei’)) and you’re done, this is how Whatsapp on Android Phone stores the password.
However, this isn’t a new revelation, the WhatsApp Wikipedia entry already states that the service uses phone number and IMEI, but what Sam pointed out was that there are SIMPLE ways to retrieve the two nuggets.
1. You have direct access to your victims phone, in which case you dial & call *#06# (in most cases) and you’ve got their IMEI number.
2. You develop an app that silently sends the victims IMEI number to your server in the background (many applications do this already) & phone number, either by letting them fill it in themselves in a registration part of your app, or also silently (this method however isn’t always airtight but works in a lot of cases).
3. A hacker leaks a database/file with IMEI numbers with associated phone numbers, ding ding ding!
4. A spammer buys this information from an app developer.
Time for some Android code examples.
Android code example to retrieve IMEI number:
TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
String device_id = tm.getDeviceId();
To retrieve the victims phone number:
TelephonyManager tMgr =(TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);
mPhoneNumber = tMgr.getLine1Number();
You can also retrieve the users voicemail number too just in case:
What are the implication? We think they are HUGE!
- Spam the hell out of Whatsapp server, once you collect a HUGE database.
- Intercept Photos, Private conversions on Whatsapp, Make it public, especially when S*xting is so common.
- Send messages to people’s friends whose IDs you’ve hacked.
Sam went on to say:
Is this already happening? It wouldn’t surprise me if it is. I’ve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and I’m not even a “hardcore hacker”.
Ps. Don’t get me wrong, I love WhatsApp. But it’s far from “secure”.
Would you use Whatsapp after knowing this, or, rather would you use Whatsapp for the private chats, images, etc, especially if you have a hacker friend, capable of pulling this off on you!
The DNetWorks Team