Account theft still possible with latest WhatsApp
Recent changes to WhatsApp, which appears to have captured a position as the popular app-based alternative to texting, have not actually secured the system, at least for Android users. In a test by The H's associates at heise Security, it was found to still be possible to take over an account unnoticed and send and receive WhatsApp messages on behalf of that user.
Just over two months ago, WhatsApp stopped transmitting users' messages in plain text. This meant that tools such as WhatsApp Sniffer no longer worked. But within weeks it became apparent that WhatsApp's new approach was hardly any protection as the application used the device's IMEI serial number on Android and the Mac address of the Wi-Fi interface on iOS to generate passwords. As these are easily obtained items of information, the WhatsAPI PHP library was quickly adapted to make use of this information and take over an account.
Two weeks ago, though, it became apparent that WhatsApp had changed their server-side processing. Web clients that used the WhatsAPI library were unable to operate with the service. This led people to assume that WhatsApp had made the system safe, but as the company was not providing any information on its changes it appeared to be relying on security through obscurity.
That obscurity has not lasted long though. A reader of heise Security sent them a script which restored the WhatsAPI library to operation and again allowed them to hijack the account of an Android user of WhatsApp with only the phone number and IMEI code. With the previous version of WhatsAPI, it was possible to also hijack iOS users, but it was not possible to test this with the current version. It is reasonable to assume though, that other smartphone versions of WhatsApp are vulnerable in a similar way.
Although WhatsApp had not responded in the past to heise Security's media inquiries, they informed the company of the security problem and after a few days actually recieved a response from a person who is, according to media reports, one of the founders of WhatsApp. She informally asked what version of the app was concerned and was told it was Android version 2.8.7326. Since then, there's been silence though.
To help accelerate the closing of the hole, heise Security then offered WhatsApp all the details about the vulnerability and the account used with the script. Days have passed since this, however, and heise Security have not been asked by WhatsApp to send on that information.
Given how opaquely WhatsApp handles security issues, The H cannot recommend use of the service. We suggest readers use some other application like Skype, Facebook, or even email or SMS where at least the risks are well known and documented, so that they can at least take control of the risks they are being exposed to.