WhatsApp closes hole again, but not in all versions
The game of cat-and-mouse around the security of WhatsApp has entered the next round: since The H's associates at heise Security demonstrated that the Android version remained vulnerable to account hijacking about a week ago, the WhatsApp developers have released WhatsApp 2.8.8968 (and subsequently version 2.8.9108) on Google Play, saying that this version offers improved phone number verification.
The known account hijacking methods did indeed fail with this current version. However, after updating the app on one of heise Security's test devices, the data that WhatsApp had stored on the phone needed to be deleted and the app reconfigured. Under Android 4.1 and 4.2, "Jelly Bean", the data delete feature can be found in Settings ➤ Application Manager ➤ WhatsApp ➤ Delete Data.
As the WhatsApp developers generally decline to release information about the changes they make, how long the messaging app will be immune to cracking this time is a matter for speculation. After the previous security improvement, it took a heise Security reader eight days to submit a script that allowed accounts to be cracked again.
That security prospects are also bleak for WhatsApp on other smartphone operating systems became evident when heise Security examined the current version 126.96.36.199 for Windows Phone 7.5, where accounts can still be hijacked. In the current iOS version, the existing tools have so far been unsuccessful.