As a frequent WhatsApp user I don't find this amusing at all. If this is how the engineers handle security issues, it might be time to convince my friends to switch to another messenger. It's not like there was no competition in that field.
I played a little with reverse engineering Kik a while ago. I'm not sure about the messages, but I was able to siphon off the plaintext password using ngrep. It's XMPP, btw.
When they originally launched, they were not using SSL, and were using plain text authentication. Since then, they changed the authentication so it wouldn't be sent in plain text. Then they later added SSL. Then in the middle of last year, they updated their SSL setup so it actually did certificate verification.
It took them a while to get there, but it's secure now.
The initial design of WhatsApp was as an app to share your status. Only later did they add messaging. Which is the functionality that actually made them take off. But they've never removed the statua part, even though nobody uses it.
Did anybody have any success with changing someone else's status with this? If so, please post.
I got the success message on site and restarted the app too on iPhone by killing it from the multitasking bar but my friend's status is still unchanged.
Makes me doubt it is a fraud site as BuddhaSource mentioned.
> By providing any WhatsApp registered telephone number
and the text for the status update, it is possible to change a user's
status. This action does not require any prior authentication or
authorization
> (on registration) The vendor has implemented bruteforce
protection by locking a number after 10 tries. This step makes a
successful attack on a specific number unlikely but an attacker
bruteforcing X00 numbers can still guess X number(s) on average.
> As published in the past several times already the XMPP traffic from
WhatsApp is not encrypted.
And they are planning to charge money for it?
edit: perhaps even worse is their response to the security vulnerability seen in the timeline - they knew about the bug since 09-14
There's a few ways that they can patch this. I'm assuming that there's some sort of auth process in place for their http calls and this could simply be a case where this particular endpoint missed the auth.
Or they're simply blocking the whatsappstatus's ip and a fix would actually require both client side and server side changes.
But honestly its just a messaging app and how many people really cares if "let's go grab a beer" is encrypted or not.
23 comments
[ 3.1 ms ] story [ 58.4 ms ] threadIf not, any good apps that do for Iphone or Blackberry?
It took them a while to get there, but it's secure now.
Too bad :)
I got the success message on site and restarted the app too on iPhone by killing it from the multitasking bar but my friend's status is still unchanged.
Makes me doubt it is a fraud site as BuddhaSource mentioned.
> By providing any WhatsApp registered telephone number and the text for the status update, it is possible to change a user's status. This action does not require any prior authentication or authorization
> (on registration) The vendor has implemented bruteforce protection by locking a number after 10 tries. This step makes a successful attack on a specific number unlikely but an attacker bruteforcing X00 numbers can still guess X number(s) on average.
> As published in the past several times already the XMPP traffic from WhatsApp is not encrypted.
And they are planning to charge money for it?
edit: perhaps even worse is their response to the security vulnerability seen in the timeline - they knew about the bug since 09-14
Or they're simply blocking the whatsappstatus's ip and a fix would actually require both client side and server side changes.
But honestly its just a messaging app and how many people really cares if "let's go grab a beer" is encrypted or not.