Am I missing something? "Give me your number and password, and I'll show you that WhatsApp is insecure". Really?
There is definitely a place to out a company that fails to secure things consistently, but asking for credentials in this way absolutely wrecks your credibility to anyone but the most trusting of people that already knows you. No one should input anything into this form, even if it's credible. To do so, is assuming that it is not being stored in any way (unprovable), and that it is following security best practices (on a site that's not even operating on a secure connection). I'm sure you are a standup guy, but I hope we never get complacent with blindly accepting "hack checkers" like the ones that popped up around other notable hacks recently
FTP. AIM. These are equally if not more insecure for the same reasons. Not to mention that if you're on my network a "Whatapp" account is the least of my concerns.
1) Your mac address is available to even passive sniffers without the key to an encrypted network. In some circumstances you don't even need to be connected to a network to grab someone's mac address (iPhones in particular love looking for networks loudly).
2) FTP and AIM passwords can be changed. Yes, a passive sniffer on the same network can still get them, but this is a significantly harder task than getting someone's mac address, and there's no way to change the goal.
3) Brute force attacks become within the realm of possibility. Have someone you know has an iPhone 5 and uses WhatsApp? The first chunk of the mac address is assigned by vendor, so you've already narrowed the search space down drastically by half to needing to guess 6 hex digits.
It's trivial to get these values from software and it is (was) a very common practice amongst app developers, advertisers etc. to collect this information and store it in a database. I can guarantee you that the IMEI in the majority of these databases is stored as plaintext. Due to the easy access to these numbers as well as the large number of massive existing databases of them, IMEI numbers are simply not suitable password equivalents in any way and merely suggesting the contrary makes our world a less secure place.
The IMEI is harder, but any one who can grap your phone can enter *#06# to get your IMEI. Also, it's available on the box of your device, and many apps store the IMEI to identify your device.
I see what you are trying to do, but I think it would work better if you requested the MAC address instead of the password. The way it's written now, it looks like you're asking for the password.
I support this though, because WhatsApp has known about this for a couple years now and refuse to do anything about it.
The short version is, anyone can steal your messages if they have your mac address. Anyone on the same network as you, or within wifi range -- even if not connected to a wifi network, but with the radio on -- has your mac address. And you can never change it, so once someone snarfs it once, they get your account for life.
Edit: From the README on the GitHub page:
Password Overview
Android: MD5 hash of reversed IMEI (Credit: WhatsAPI Original Authors)
iOS: MD5 hash of the MAC address repeated twice (Credit: Ezio Amodio)
Windows Phone: MD5 hash of reversed DeviceUniqueId (Credit: Robe Fernández)*
I had the impression that iOS apps that use any API to retrieve the MAC address is banned from the store, similar to the way calls to retrieve the UDID are.
Maybe they are grandfathered in? Would they be banned if they pushed an update? Are Apple afraid of kicking out an iMessage competitor?
There is no real way WhatsApp can fix this problem without large consumer backlash from existing customers. The reason WhatsApp took off is because 'it just works' without requiring creating accounts and other nastyness.
You just install it, whack in your phone number, and off it goes. Swap to a new phone? Whack in your phone number, and you're back on your account.
This is why WhatsApp has beaten out the competition (along with good marketing in airports, etc) - and there is A LOT of competition. By fixing this 'flaw', WhatsApp will fail. The best they could do is offer an 'advanced security' option for uses who want more secure communication, but the default insecurity will have to stay.
TLDR: Insecurity is the very bedrock of WhatsApp's popularity. It cannot be 'fixed' at this point.
With WhatsApp you have one account per phone number that you activate on each phone through SMS authentication.
So if I installed WhatsApp to my iPhone 4 under number 917-555-5555, WhatsApp will then text that number with an activation code and when I enter that activation code in the WhatsApp app, it ties that number to my phone with that phone's MAC address/IMEI.
If I then upgraded to the iPhone 5 under the same number, the process repeats itself and now ties that number to the iPhone 5 with it's MAC address/IMEI. I will now lose access to WhatsApp on that number on my iPhone 4.
Whatsapp, if you are listening, do the following.. Add an extra column to your database table where user 'credentials' are saved. Lets call it 'password'. Or call it realpassword if you're using password for the md5'ed IMEI/MAC. Now, leave it empty for a moment..
On your next client update, force your users to fill in a password. Don't save it plaintext mmkay, drop a whole pot of salt all over it and save it in the password column. If user has a known password, check if their client sent the correct one.
You can still check IMEI or MAC address too if you want, but only as an extra 'check' to verify user is logging in from their mobile and not some fishy desktop client. Again, the latter isn't secure but is meant as a fallback.
Instead of just saying "click here to see all the articles about this security hole" it would go a long way to provide a concise synopsis for those of us who don't use whatsapp but are still interested in understanding your approach
WhatsApp was never designed with security as a priority. I remember a couple of years ago after it took off investigating it with a packetsniffer when I noticed the phone number verification text let you in the second you finished typing the PIN. I recall either the server was sending the PIN to the device or the device was telling the server what PIN to send in the text. Ridiculously easy to impersonate anyone at that point. Last I checked they had fixed that hole but I'm not surprised others have popped up.
Can you clarify what each input means? When the help text for the "name" field of a form says "the name you'd like to use".. well, it's not very helpful. Thanks :-)
My number is not from the US. Maybe you are creating the JID using the US country code + the phone number field instead of using the full number field?
Tried again here, not working. Do you know if it is possible to sniff the iphone connection and get the md5? I have generated the hash from the duplicated mac and want to check that it is identical.
The password algorithm changed in the lasts versions of Whatsapp, at least in iPhone. You can get a Base64 of the md5 from the application directory, but it doesn't match the imei or mac md5. I am trying to break mine with hashcat to see what kind of pattern it follows.
I guess you are trying to do the MD5 yourself, while you should simply just enter the mac address with the : . The script will automatically generate the hash for u.
There is definitely a place to out a company that fails to secure things consistently, but asking for credentials in this way absolutely wrecks your credibility to anyone but the most trusting of people that already knows you. No one should input anything into this form, even if it's credible. To do so, is assuming that it is not being stored in any way (unprovable), and that it is following security best practices (on a site that's not even operating on a secure connection). I'm sure you are a standup guy, but I hope we never get complacent with blindly accepting "hack checkers" like the ones that popped up around other notable hacks recently