WhatsApp Is Using IMEI Numbers As Passwords

← Back to Stories (view on slashdot.org)

WhatsApp Is Using IMEI Numbers As Passwords

Posted by Soulskill on Saturday September 8, 2012 @10:58AM from the security-through-handwavery dept.

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

20 of 102 comments (clear)

Min score:

Reason:

Sort:

Seriously? by thePowerOfGrayskull · 2012-09-08 11:08 · Score: 4, Insightful

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.
Nicely done with the "responsible disclosure".
1. Re:Seriously? by Lehk228 · 2012-09-08 11:15 · Score: 4, Insightful
  
  responsible disclosure is something earned by responsible actions on the part of developers.
  
  do something retarded and you deserve to have it blow up in your face like that
  
  --
  Snowden and Manning are heroes.
2. Re:Seriously? by Anonymous Coward · 2012-09-08 11:26 · Score: 5, Insightful
  
  If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.
  Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.
  It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.
  Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.
3. Re:Seriously? by MrHanky · 2012-09-08 11:29 · Score: 2, Informative
  
  Meh. It's a proprietary extension to a free protocol, with lock-in included. Fuck them.
4. Re:Seriously? by kylegordon · 2012-09-08 11:58 · Score: 5, Informative
  
  There's no need for responsible disclosure when it's been around for months on Github.
  Just check https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md and you'll see.
5. Re:Seriously? by Bogtha · 2012-09-08 12:05 · Score: 2
  
  I see he made no mention of warning whatsapp
  
  This isn't an accidental security vulnerability, they deliberately designed their system this way. They obviously already knew their system works this way.
  
  --
  Bogtha Bogtha Bogtha
6. Re:Seriously? by Anonymous Coward · 2012-09-08 13:32 · Score: 5, Insightful
  
  Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.
  Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.
  Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.
7. Re:Seriously? by Anonymous Coward · 2012-09-08 14:38 · Score: 5, Insightful
  
  So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.
8. Re:Seriously? by mwvdlee · 2012-09-08 19:02 · Score: 2
  
  Responsible disclosure has nothing to do with the developer, it's meant to protect it's users.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
9. Re:Seriously? by Hatta · 2012-09-09 01:42 · Score: 3, Insightful
  
  "Responsible disclosure" is a completely disingenuous term. Full disclosure is the only responsible route.
  
  --
  Give me Classic Slashdot or give me death!
10. Re:Seriously? by Hatta · 2012-09-09 01:44 · Score: 2
  
  The person who delays announcement of a security hole is allowing a bunch of people to get hacked. If a "security researcher" found the hole, you have to assume a black hat has as well. Make the announcement immediately, so those affected can take the affected systems offline immediately, or make other arrangements.
  Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.
  
  --
  Give me Classic Slashdot or give me death!
11. Re:Seriously? by DMiax · 2012-09-09 07:28 · Score: 4, Insightful
  
  since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.
I love the last line of the article by Meshach · 2012-09-08 11:11 · Score: 5, Insightful

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
Yes and porn is watched for the acting.

--
"Maybe this world is another planet's hell"
Aldous Huxley
1. Re:I love the last line of the article by Anonymous Coward · 2012-09-08 11:17 · Score: 2, Funny
  
  Yes and porn is watched for the acting.
  porn with acting is called drama on HBO
  spartacus
2. Re:I love the last line of the article by Viceice · 2012-09-08 14:47 · Score: 3, Insightful
  
  Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.
  
  --
  Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
warning? by kenorland · 2012-09-08 11:42 · Score: 4, Insightful

What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.
Always the same stupid, stupid mistakes by gweihir · 2012-09-08 13:01 · Score: 3, Insightful

Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Always the same stupid, stupid mistakes by ahoog · 2012-09-08 13:45 · Score: 2
  
  They don't even have to ask. After years of doing mobile security audits, we complied 42+ best practices for secure mobile development and posted it free online. It's just that secure development takes extra time (and talent) and very few are willing to make that commitment. https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/
  
  --
  Andrew Hoog
  viaForensics
IMEI not just "easily readable" by richard.cs · 2012-09-08 20:44 · Score: 2

The IMEI is not just "easily readable" it's sent unencrypted whenever a call is made. This was a deliberate design choice, it could have been sent after the encrypted connection was established but the writers of the specification chose otherwise - the motivations for this have never been explained but a lot of people have drawn their own conclusions.
In any case my point is that it's even easier than TFA suggests to obtain someone's IMEI.
Re:The Mind Has No Firewall by myowntrueself · 2012-09-08 23:16 · Score: 3, Funny

âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.

The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process...

I was half expecting this to turn into another 'MyCleanPC' spam post.

--
In the free world the media isn't government run; the government is media run.