WhatsApp Threatens Developers of PC Gateway With Legal Action

An anonymous reader writes "In an apparent reaction to the security vulnerabilities demonstrated by The H's associates at heise Security, the company behind WhatsApp Messenger is taking action against the developers of a library of functions for using the WhatsApp service via a PC. The developers have responded by removing the source code from the web. However, the popular texting alternative WhatsApp still has a major security problem. Attackers can compromise other users' accounts with relative ease, and send and receive messages from another user's account. Forked versions of the code are still available on Github."

I remember them!

[TheSpoom]

One of our clients wanted us to send notification messages over WhatsApp to end users, but they don't have an API and at the time, this third party library was not available. We told them we couldn't do it. Sounds like we avoided a shitstorm.

Re:I remember them!

[TheSpoom]

Also, let's just all act like github isn't versioned. *whistles*

Re:I remember them!

[TheSpoom]

git clone git://github.com/venomous0x/WhatsAPI.git
cd WhatsAPI
git checkout 476bb7a0d2d4def370c876a8557542ee21686f7f

Liability Assurance...

[sinij]

Sadly Information Security is now more about offloading liability and then seeking damages than actually delivering secure solutions.

Re:Liability Assurance...

[idontgno]

From a business ("risk management") perspective, it often costs no more to offload liability or otherwise mitigate the impacts of a security event than to actively prevent the security event. In that case, is anyone surprised a business makes a business decision? If you ask the business, security features support the business and not the other way around, so business priorities always take precedence.

And yeah, that means that if there's a breach, if you can decrease the overall cost of notification and settlement with the victims, letting the breach happen may be the more business-savvy choice.

Sucks, but that's the profit motive for you.

Bunch of crackpots

[DMiax]

Few developers make me so angry as WhatsApp's ones. They just took XMPP, made a couple of changes so that it does not work with normal clients, forgot about any kind of security and call it a day. Their biggest idea is using phone numbers as identifiers and marketing their app as an SMS replacement instead of an internet chat. Fuck them.

Re:Bunch of crackpots

[Nerdfest]

Apple did the same thing.

Re:Bunch of crackpots

[GameboyRMH]

Yeah but with SIP instead of XMPP (FaceTime).

Re:Bunch of crackpots

Few developers make me so angry as WhatsApp's ones. They just took XMPP, made a couple of changes so that it does not work with normal clients, forgot about any kind of security and call it a day. Their biggest idea is using phone numbers as identifiers and marketing their app as an SMS replacement instead of an internet chat. Fuck them.

Yeah, the big thing about it is using phone numbers as identifiers. But even that doesn't justify the security holes. They could just generate a random key and store it on the server and on the device. So, the phone number would be the "username", the random key would be the "password". If the user changed device, the current SMS verification can be used to verify the user is really using the same phone number, and then issue a key regeneration. There is no excuse to use some predictable number based on public info like IMEI, MAC adresses etc.

WhatsAPP spam comming

[KarlH420]

If WhatsApp doesn't add more security, my prediction, is we will start to see WhatsApp spam. If you know phone number and it's IEMI you can fake the sender using the WhatsApp protocol. All it will take now is someone to acquire a database of IEMI's and the phone numbers before the spam can start flowing.