WhatsApp Is Using IMEI Numbers As Passwords

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

Seriously?

[thePowerOfGrayskull]

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.

Nicely done with the "responsible disclosure".

I love the last line of the article

[Meshach]

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

Yes and porn is watched for the acting.

Re:Seriously?

[Lehk228]

responsible disclosure is something earned by responsible actions on the part of developers.

do something retarded and you deserve to have it blow up in your face like that

Re:Seriously?

[Anonymous Coward]

If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.

Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.

It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.

Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.

warning?

[kenorland]

What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.

Always the same stupid, stupid mistakes

[gweihir]

Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.

Re:Seriously?

[Anonymous Coward]

Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.

Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.

Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.

Re:Seriously?

[Anonymous Coward]

So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.

Re:I love the last line of the article

[Viceice]

Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.

Re:Seriously?

[Hatta]

"Responsible disclosure" is a completely disingenuous term. Full disclosure is the only responsible route.

Re:Seriously?

[DMiax]

since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.