23 comments

[ 3.1 ms ] story [ 58.4 ms ] thread
As a frequent WhatsApp user, I must say I find this more amusing than anything. I've never really understood what the status feature is for anyway.
As a frequent WhatsApp user I don't find this amusing at all. If this is how the engineers handle security issues, it might be time to convince my friends to switch to another messenger. It's not like there was no competition in that field.
Kik Messenger seems to have been doing very well recently.
Do you know if this can be used with Jabber and if the messages are sent on an encrypted connection to the server?

If not, any good apps that do for Iphone or Blackberry?

I played a little with reverse engineering Kik a while ago. I'm not sure about the messages, but I was able to siphon off the plaintext password using ngrep. It's XMPP, btw.
When they originally launched, they were not using SSL, and were using plain text authentication. Since then, they changed the authentication so it wouldn't be sent in plain text. Then they later added SSL. Then in the middle of last year, they updated their SSL setup so it actually did certificate verification.

It took them a while to get there, but it's secure now.

Umm, I think a malicious user could write things in your status that could have negative consequences for you.
Of course, these security holes are not so hilarious to WhatsApp users who think their chats are encrypted on route to WhatsApp's servers :)
The initial design of WhatsApp was as an app to share your status. Only later did they add messaging. Which is the functionality that actually made them take off. But they've never removed the statua part, even though nobody uses it.
It's not changing status anymore, did they already block the site's IP?
Is this a Fraud site? Not working for me.
Ain't working for me either, but I've read report of people who were able to to that.

Too bad :)

Mikko Hypponen reblogged a tweet mentioning it, so it has to be legit. :)
I could not change mine. If the leak is plugged would you be willing to explain where the hole is?
Did anybody have any success with changing someone else's status with this? If so, please post.

I got the success message on site and restarted the app too on iPhone by killing it from the multitasking bar but my friend's status is still unchanged.

Makes me doubt it is a fraud site as BuddhaSource mentioned.

Some more information about this can be found here: http://packetstormsecurity.org/files/108010/SA-20111219-1.tx...
Wow it seems there is no security at all:

> By providing any WhatsApp registered telephone number and the text for the status update, it is possible to change a user's status. This action does not require any prior authentication or authorization

> (on registration) The vendor has implemented bruteforce protection by locking a number after 10 tries. This step makes a successful attack on a specific number unlikely but an attacker bruteforcing X00 numbers can still guess X number(s) on average.

> As published in the past several times already the XMPP traffic from WhatsApp is not encrypted.

And they are planning to charge money for it?

edit: perhaps even worse is their response to the security vulnerability seen in the timeline - they knew about the bug since 09-14

What would the legal liabilities of this site be?
The site says the hole has been patched but I was just able to change my own status with this:

  curl -A "WhatsApp/2.6.7 iPhone_OS/5.0.1 Device/iPhone_4" --header "Accept-Language: en-us" --header "Accept-Encoding: gzip, deflate" --header "Connection: keep-alive" -d "cc=1&me=%2B1{10_DIGIT_NUMBER}&s={URL_ENCODED_STATUS}" https://s.whatsapp.net/client/iphone/u.php
It did take some time to show up under my name, even after restarting the app.
dumb question - how exactly can I try this? I went to the site, but didn't find relevant information.
There's a few ways that they can patch this. I'm assuming that there's some sort of auth process in place for their http calls and this could simply be a case where this particular endpoint missed the auth.

Or they're simply blocking the whatsappstatus's ip and a fix would actually require both client side and server side changes.

But honestly its just a messaging app and how many people really cares if "let's go grab a beer" is encrypted or not.