{"id":7972,"date":"2012-09-06T04:32:46","date_gmt":"2012-09-05T21:32:46","guid":{"rendered":"http:\/\/deepquest.code511.com\/blog\/?p=7972"},"modified":"2012-09-06T04:32:46","modified_gmt":"2012-09-05T21:32:46","slug":"whatsapp-is-using-imei-numbers-as-passwords","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2012\/09\/whatsapp-is-using-imei-numbers-as-passwords\/","title":{"rendered":"WhatsApp is using IMEI numbers as passwords"},"content":{"rendered":"<p>As you probably already heard in recent news, <a href=\"http:\/\/techcrunch.com\/2012\/09\/04\/antisec-leaks-1000001-udids-from-a-trove-of-12-million-allegedly-stolen-from-an-fbi-laptop\/\" target=\"_blank\">1,000,001 Apple UDID\u2019s were leaked<\/a>. It\u2019s unfortunate that so many apps use UDID\u2019s to identify users since it\u2019s extremely insecure.<\/p>\n<p>This brings me to WhatsApp, a free messaging service, used by millions of people. Their system runs on a modified version of XMPP (Extensible Messaging and Presence Protocol). There is nothing wrong with using XMPP, but there is a problem in how WhatsApp handle authentication.<\/p>\n<p>If you installed WhatsApp on an Android device for example, your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).<\/p>\n<p><!--more--><\/p>\n<p><code>md5(strrev(\u2018your-imei-goes-here\u2019))<\/code><\/p>\n<p>When I say Android, I don\u2019t exclusively mean Android. It just happens to be a different case when it comes to iOS. Windows Mobile, Blackberry etc\u2026 might very well have the same password method. It actually wouldn\u2019t surprise me. WhatsApp on the iPhone might be using your IMEI too, or maybe UDID\u2019s to generate passwords, but not the exact same method. If I do find out, I will update this post.<\/p>\n<p>Then comes the username. It\u2019s your phone number (doh).<\/p>\n<p>To obtain both these values is rather simple.<\/p>\n<p><strong>Examples:<\/strong><br \/>\n1. You have direct access to your victims phone, in which case you dial &amp; call *#06# (in most cases) and you\u2019ve got their IMEI number.<br \/>\n2. You develop an app that silently sends the victims IMEI number to your server in the background (many applications do this already) &amp; phone number, either by letting them fill it in themselves in a registration part of your app, or also silently (this method however isn\u2019t always waterproof but works in a lot of cases).<br \/>\n3. A hacker leaks a database\/file with IMEI numbers with associated phone numbers, ding ding ding!<br \/>\n4. A spammer buys this information from an app developer.<\/p>\n<p>Time for some Android code examples..<\/p>\n<p><strong>Android code example to retrieve IMEI number:<\/strong><br \/>\n<code>TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);<\/code><\/p>\n<p><code>String device_id = tm.getDeviceId();<\/code><\/p>\n<p><strong>To retrieve the victims phone number:<\/strong><br \/>\n<code>TelephonyManager tMgr =(TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);<br \/>\nmPhoneNumber = tMgr.getLine1Number();<\/code><\/p>\n<p><strong>You can also retrieve the users voicemail number too just in case:<\/strong><br \/>\n<code>TelephonyManager.getCompleteVoiceMailNumber()<\/code><\/p>\n<p>Using this information allows you to intercept and send messages using your victims account details.<\/p>\n<p>This could mess up peoples lives if you use their account to send a message to someone they know, with any kind of f\u2019ed up message. This could cause huge problems for your victim, especially if the receiver of the message is mentally unstable. It might sound dramatic, but it\u2019s feasible.<\/p>\n<p>You could intercept naked photos &amp; other sensitive personal messages.<\/p>\n<p>Alternatively, you could just spam the hell out of WhatsApp, especially if you have a nice big database.<\/p>\n<p>Is this already happening? It wouldn\u2019t surprise me if it is. I\u2019ve succeeded in sending\/receiving messages (from friends accounts who gave me permission to take their accounts over) and I\u2019m not even a \u201chardcore hacker\u201d.<\/p>\n<p>Do you use WhatsApp? Think twice before you send a private WhatsApp message. Think twice when you receive a messed up WhatsApp message. You don\u2019t know what\u2019s going on in the background.<\/p>\n<p>And WhatsApp, if you are reading this, get your act together. People expect a secure system when it comes to personal messaging. And with the amount of customers you have, you should be taking better security measures. I sincerely hope you fix this issue soon.<\/p>\n<p>The intent of this blog post is not give \u201chackers\u201d or \u201cscriptkiddies\u201d any funny ideas, but merely for awareness.<\/p>\n<p><em>Ps. Don\u2019t get me wrong, I love WhatsApp. But it\u2019s far from \u201csecure\u201d.<\/em><\/p>\n<p>credits:\u00a0Sam Granger<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As you probably already heard in recent news, 1,000,001 Apple UDID\u2019s were leaked. It\u2019s unfortunate that so many apps use UDID\u2019s to identify users since it\u2019s extremely insecure. This brings&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[108,43,18,93,85],"tags":[103,2269],"class_list":["post-7972","post","type-post","status-publish","format-standard","hentry","category-android-2","category-exploit","category-iphone-apple","category-privacy","category-smartphone","tag-android","tag-whatsapp"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-24A","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/7972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=7972"}],"version-history":[{"count":1,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/7972\/revisions"}],"predecessor-version":[{"id":7973,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/7972\/revisions\/7973"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=7972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=7972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=7972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}