WhatsApp Is Using IMEI Numbers As Passwords

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

Re:

[mynameiskhan]

I hate name calling from behind the internet. Wassup Mr. Coward?

Re:The Mind Has No Firewall

[myowntrueself]

âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.

The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process...
 

I was half expecting this to turn into another 'MyCleanPC' spam post.

Re:

[maxwell demon]

Actually the mind has a very effective firewall, as everyone has experienced who tried to convince someone else that his believe system is wrong. However, like any firewall, it can only keep off threats if configured properly.

Seriously?

[thePowerOfGrayskull]

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.

Nicely done with the "responsible disclosure".

Re:Seriously?

[Lehk228]

responsible disclosure is something earned by responsible actions on the part of developers.

do something retarded and you deserve to have it blow up in your face like that

Re:

[watice]

wow. sorry i didn't spend my last mod point on you. Realer words have never been typed.

Re:Seriously?

[Anonymous Coward]

Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.

Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.

Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.

Re:Seriously?

[Hatta]

"Responsible disclosure" is a completely disingenuous term. Full disclosure is the only responsible route.

Re:"Full disclosure is the only responsible route"

[Rozzin]

Hatta, you're actually not far off from Bruce Schneier's "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea' [schneier.com]".

Re:

[Dishevel]

Not true.
If you find yourself dealing with a company that fixes the things you disclose in a timely manner then just throwing exploits out and sitting back
with your popcorn trying to see if the hackers can fuck the public over before the company can fix it then you are just a dick.

Re:

[kelemvor4]

Well.. it's Oracle. Did you really expect them to provide good support?

Re:Seriously?

[Anonymous Coward]

So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.

Re:

[Anonymous Coward]

Maybe people will start being more careful about which companies they trust.

Re:

[Anonymous Coward]

The "dick move" here would be to let people remain ignorant about the fact that they are using a "dick" company. Whether they mentioned it to whatsapp or not is entirely inconsequential to the much larger issue of whatsapp being total morons when it comes to security in the first place.

If my neighbour was worried about security, locks his doors but I notice he always leaves the bathroom window open, I would mention that to him, pointing out his security problem. But if he buys a big sturdy security gate and

Re:

[Hatta]

The person who delays announcement of a security hole is allowing a bunch of people to get hacked. If a "security researcher" found the hole, you have to assume a black hat has as well. Make the announcement immediately, so those affected can take the affected systems offline immediately, or make other arrangements.

Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.

Re:

[JoeMerchant]

Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.

Wrong, it protects and benefits the black hats who are using the vulnerability even more...

Re:Seriously?

[DMiax]

since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.

Re:

[LingNoi]

Regardless of it being a dick move..

> So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards.

If it's breakable then it's just poor security. This isn't tabs or spaces. This is either you can break into someones account or you can't.

Re:

[tlhIngan]

So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.

OTOH, who's to say they haven't ALREADY been hacked and this disclosure merely was bringing attention to the public?

That's the problem with responsible disclosure - it's really hard to do. Wait too long and people exploit it without your knowledge. Wait too short and they have no chance to fix it (and how long is "enough"? QA processes vary and some places do extensive testing to

Re:

[mwvdlee]

Responsible disclosure has nothing to do with the developer, it's meant to protect it's users.

Re:

[r1348]

Not so much. The best way to protect users is to let them know that the programs they're using are insecure.
For what we know, a black hat might have discovered this vulnerability (of the moronic kind) months ago and already exploiting it in the wild without user knowledge. Full disclosure fixes this lack of information, the developer now should really fix the app.

Re:

[2fuf]

The problem with this attitude is that the end users gets the shit poured over them, as a retribution for the developers' lack of responsibility.

What kind of dick do you have to be to think that's fair?

Re:

[Pausanias]

Why would anyone ever want to user WhatsApp over google voice is something I don't get.

Re:

[monzie]

I wish I had mod points. You hit the bulls' eye there. Developers cannot be stupid and then expect others to be kind to them. Yes I develop mobile apps as well - and If I ever do something this stupid, I deserve to have it blow in my face.

Re:Seriously?

[Anonymous Coward]

If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.

Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.

It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.

Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.

Re:

[MrHanky]

Meh. It's a proprietary extension to a free protocol, with lock-in included. Fuck them.

Re:

[burne]

Your IMEI is 00-000000-000000. Remember that the checksum calculation is optional.

warning?

[kenorland]

What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.

Re:Seriously?

[kylegordon]

There's no need for responsible disclosure when it's been around for months on Github.

Just check https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md [github.com] and you'll see.

Re:

[Bogtha]

I see he made no mention of warning whatsapp

This isn't an accidental security vulnerability, they deliberately designed their system this way. They obviously already knew their system works this way.

Re:

[carlos92]

The only thing new it brings to the table is that it feels more like a replacement of SMS. It's easy to install (they obviously prioritized ease of use over security) and it works with your contacts that are already stored on the phone.

Re:

[lindi]

I have never used whatsapp but I was still fully aware that they use IMEI as a password. This was no secret.

Re:

[DMiax]

Sure, they should have alerted WhatsApp that they programmed their system to use IMEI as passwords...

Hey! I just noticed that you wrote your comment and pushed the submit button and now everyone can read your thoughts! Are you aware of that?

I love the last line of the article

[Meshach]

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

Yes and porn is watched for the acting.

Re:

[Anonymous Coward]

Yes and porn is watched for the acting.

porn with acting is called drama on HBO

spartacus

Re:I love the last line of the article

[Viceice]

Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.

I call...

[msauve]

Acronym abuse! If you use an acronym, spell it out the first time you use it, or expect your communications to be taken as nonsense.

Re:

[AuMatar]

If you're on a tech website and reading an article about cell phones without knowing what an IMEI is, you're hopeless to begin with. It's a common enough acronym that no, they shouldn't spell it out- you should stop being a dumbass.

Re:

[msauve]

LOL

Re:

[bipbop]

i don't think that's true. People should be expected to raise themselves to minimum standards, not meet them ahead of time. After all, it's basically effortless to look it up and learn what it means, and lazy evaluation in reading slashdot doesn't have any negative consequences I can think of.

Re:

[MikeBabcock]

The number of people who ask me what acronyms and even plain English words mean while in front of an Internet-connected PC or smart phone just astounds me. I keep saying "Google it" and they keep looking at me stupid.

So you type the word you're looking up into Google, hit enter, and voila, its probably the first result.

Re:

[AuMatar]

If you type " define" its almost always the first result. Works well for acronyms too.

Re:

[AuMatar]

That was supposed to be "<word> define".  Fuck slashcode, I posted it at plain old text.

Re:

[viperidaenz]

Don't forget your tinfoil hat

This is why Apple got rid of the UDID...

[SuperKendall]

Even though the UDID was not supposed to be used for authentication like purposes, some app developers were leaning on it... really better to just make apps create a UUID themselves and make use of that. Of course, then for authentication you need a real login of some kind.

Re:

[petsounds]

Same thing with Social Security Numbers; they were never supposed to be used as a Federal identification number, but companies wanted to track people in a more consistent manner and there was no alternative. In both cases, that doesn't forgive the companies for using these numbers.

Not Quite

[Anonymous Coward]

To be fair, they are using the MD5 of the IMEI. Not just the IMEI in plain text. But I think people are more worried about someone getting their WhatsApp info from the IMEI, and not the other way around.

Always the same stupid, stupid mistakes

[gweihir]

Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.

Re:

[StripedCow]

In case you didn't notice, these days companies are only after the quick buck. This means that they target as large a group of people as they can with minimal effort. This in turn means that security, for example, gets neglected. In other words, the reason is companies have found out that they can exploit the following concept:

99% OF USERS DON'T CARE

Re:

[ahoog]

They don't even have to ask. After years of doing mobile security audits, we complied 42+ best practices for secure mobile development and posted it free online. It's just that secure development takes extra time (and talent) and very few are willing to make that commitment. https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/ [viaforensics.com]

Re:

[Anonymous Coward]

13 and 14 are kind of bullshit. If an "attacker" can modify your code, you've already lost. Obfuscating your code to make it harder to crack the binary is not security, it's obfuscation. It might give comfort to those seeking solutions to the impossible problems (DRM, copy protection) but in the end it won't help you beyond preventing the most casual/unskilled crackers, and it will make your job as a developer harder.

Basically if you can't trust the integrity of your own address space you've lost, there is

Re:

[gweihir]

They are not BS, they are shifting attacker effort. Depending on your attacker model, that may or may not make the app more secure. Unfortunately that is worth far less than it seems can even lower security.

Unfortunately, it looks like most attackers are not that rational (the Homo economicus is a nice theoretical model, but unfortunately complete BS in practice, as there are basically none of these creatures around) and will keep at one target a lot longer than is economically viable. That means simple obf

Re:

[gnasher719]

One goal should always be to make an attack expensive. That doesn't help _your_ app very much, but it helps _everyone_. If it was more expensive to attack _your_ app, then the attacker has less money or time to spend on attacking other apps, and if other apps are more expensive to attack, then anyone who attacked those apps has less money and time to attack your app.

The perfect app would be one that is actually safe, but looks as if it could be attacked successfully, making an attacker waste their time.

In a way it's useful

[Z00L00K]

But they should use the IMSI number, not the IMEI number. And combine it with a password, then you get into a better level of security than with only a password since you are using something you have.

However with the recent rise in malicious apps for phones using the phone for anything secure is risky.

Apple removed UDID

[gnasher719]

Anyone who writes mobile apps _must_ have noticed that Apple is removing the APIs to read UDIDs (Universal Device Identifiers) - because of privacy concerns, and because using a device to identify a user is stupid in the first place. IMEI numbers are supposed to be unchangeable, so they are UDIDs as well, so it is obvious that the reasons why UDIDs shouldn't be used apply to IMEI numbers as well.

I don't write Android code, but I would be sure that they have some easy means for an app to generate a UUID (

IMEI not just "easily readable"

[richard.cs]

The IMEI is not just "easily readable" it's sent unencrypted whenever a call is made. This was a deliberate design choice, it could have been sent after the encrypted connection was established but the writers of the specification chose otherwise - the motivations for this have never been explained but a lot of people have drawn their own conclusions.

In any case my point is that it's even easier than TFA suggests to obtain someone's IMEI.

Jitsi

[Hatta]

So when is Jitsi going to get an android port?