WhatsApp Is Using IMEI Numbers As Passwords

← Back to Stories (view on slashdot.org)

WhatsApp Is Using IMEI Numbers As Passwords

Posted by Soulskill on Saturday September 8, 2012 @10:58AM from the security-through-handwavery dept.

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

9 of 102 comments (clear)

Min score:

Reason:

Sort:

Seriously? by thePowerOfGrayskull · 2012-09-08 11:08 · Score: 4, Insightful

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.
Nicely done with the "responsible disclosure".
1. Re:Seriously? by Lehk228 · 2012-09-08 11:15 · Score: 4, Insightful
  
  responsible disclosure is something earned by responsible actions on the part of developers.
  
  do something retarded and you deserve to have it blow up in your face like that
  
  --
  Snowden and Manning are heroes.
2. Re:Seriously? by Anonymous Coward · 2012-09-08 11:26 · Score: 5, Insightful
  
  If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.
  Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.
  It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.
  Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.
3. Re:Seriously? by kylegordon · 2012-09-08 11:58 · Score: 5, Informative
  
  There's no need for responsible disclosure when it's been around for months on Github.
  Just check https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md and you'll see.
4. Re:Seriously? by Anonymous Coward · 2012-09-08 13:32 · Score: 5, Insightful
  
  Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.
  Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.
  Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.
5. Re:Seriously? by Anonymous Coward · 2012-09-08 14:38 · Score: 5, Insightful
  
  So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.
6. Re:Seriously? by DMiax · 2012-09-09 07:28 · Score: 4, Insightful
  
  since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.
I love the last line of the article by Meshach · 2012-09-08 11:11 · Score: 5, Insightful

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
Yes and porn is watched for the acting.

--
"Maybe this world is another planet's hell"
Aldous Huxley
warning? by kenorland · 2012-09-08 11:42 · Score: 4, Insightful

What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.