WhatsApp allegedly creates overly simple passwords under iOS too
The iOS version of WhatsApp, the popular app-based alternative to texting, like the Android version of the application, is also using a primitive method to generate log-in passwords. According to a post on an Italian blog, the iOS client simply doubles the Wi-Fi interface's MAC address and generates an MD5 hash from it: md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF).
To prove this, the author provides an excerpt from the iPhone app's disassembled code. If the allegations turn out to be true, the author has found a serious security problem: WhatsApp only requires users' phone numbers and these automatically generated passwords for authentication. If the app is used over, for example, a public hotspot, this would easily allow other Wi-Fi network users to read this information – and potentially even to permanently take control of accounts.
The MAC address is publicly available on a network anyway and a test by The H's associates at heise Security has shown that transferred messages include a plain text version of the user's number – despite the recently introduced message encryption. Under Android, WhatsApp uses the smartphone's IMEI number, rather than the Wi-Fi MAC address, to generate the password.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
