WhatsApp Messenger has Multiple Vulnerabilities, Confirmed by Security Advisors!

WhatsApp Messenger is a very popular app since the time it was launched. I love it, you love it, everyone loves it. But, WhatsApp Messenger has few vulnerabilities and the same can be exploited to change STATUS messages of other users. I tried to look inside… read further…

WhatsApp, is an awesome messaging app because, it uses your mobile number to activate services and the fun part is, you can send messages through Internet to anyone in your phone-book. The company also claimed to manage more than 1 billion messages per day, which I think – is a superb achievement and it clearly shows popularity of this app.

WhatsApp’s multiple vulnerabilities had been confirmed by Sec Consult, a Singapore based adviser for information security.

One of the hole is implemented in to a tiny utility, by a group of WhatsApp enthusiast – WhatsAppStatus.Net to be able to demonstrate issues in this app.

According to the statement mentioned on their website, they often contacted WhatsApp engineers about these issues but didn’t receive any communication in return.

What is it actually?

Sec Consult has generated a vulnerability report on WhatsApp. (See full report)

SEC Consult Vulnerability Lab Security Advisory < 20111219-1 >
  title: Multiple vulnerabilities in WhatsApp
  product: WhatsApp (tested on Android client)
  fixed version: -
  impact: Medium
  found: 2011-09-09
  by: G. Wagner
  SEC Consult Vulnerability Lab
  Vendor description:
  WhatsApp Messenger is a cross-platform mobile messaging app which
  allows to exchange messages without having to pay for SMS. In addition
  to basic messaging iPhone, Android, Nokia and BlackBerry WhatsApp
  Messenger users can send each other images, video and audio media
Issue 1: Updating arbitrary users' status
  The WhatsApp does most of its communication through XMPP, in some cases
  though the client sends HTTPS requests to interact with the server.
  This is the case when the client fetches a users' status, as well as
  for updating it. By providing any WhatsApp registered telephone number
  and the text for the status update, it is possible to change a user's
  status. This action does not require any prior authentication or
  authorization (This issue was last tested 2011-12-07).
  No POC will be published as no fix is available.

As you can see, its been identified in September 2011 but nothing is fixed yet. May be, WhatsApp engineers are not finding it any serious.

See communication log here, we can assume to read Vendor as WhatsApp, because the document is about it.

Vendor contact timeline:
  2011-09-14: Initially contacted vendor
  2011-09-14: Contact established to security team and sent advisory.
  Asked for feedback and patch timeline.
  2011-09-23: No response from vendor. Asked for feedback and patch
  2011-09-23: Vendor response asking for clarification
  regarding issue 2.
  2011-10-14: Response sent regarding issue 2.
  2011-10-26: No response from vendor. Asked for feedback and patch
  2011-11-02: Feedback from vendor regarding issue 2.
  2011-11-02: Asked for patch timeline of the other issues and coordinated
  2011-12-07: No response from vendor. Informed vendor of last chance to
  provide a patch timeline within 7 work days.
  2011-12-14: No response from vendor.
  2011-12-19: Public release without POC

Oops, but is it real?

After receiving an email from one of our readers, Maria – I decided to give it a try.

WhatsApp’s one of the issues is that, it can be exploited to change STATUS message of any of its user, if you know his /her phone number – so I downloaded this WhatsApp Status Changer demo utility from

I have the latest version of WhatsApp installed on my phone, so using this utility to change my status message, should tell me the current state.

WhatsApp Messenger has Multiple Vulnerabilities, Confirmed by Security Advisors!

But, it didn’t happen that way. The said exploit couldn’t change my status. I cross-checked with my friends on WhatsApp to know what they see as my status message. (Or may be this exploit utility needs an upgrade)

I wouldn’t like to undermine anyone because, it’s about TRUST shown by thousands of users across the world in an authority app like WhatsApp, on various smart-phone marketplaces.


I felt good for seeing this exploit not-working. But still, if the reports above are to be believed, then chances are high about – this working for some of the users at least.

Like said by the security adviser  I would too… suggest on cross-checking or using an alternate method to exchange important content through WhatsApp, just as a safety measure until we hear from WhatsApp officially.

WhatsApp and it’s team would definitely try to resolve this issue, if it’s there. I am eagerly waiting to know company’s thought on this and how they convey it to their sincere fans.

@WhatsApp… we always loved you, recommended you to our friends – now, its your turn to tell us about these issues.

Do share your experience and don’t forget to follow us on Facebook to get latest updates.


    • Give you some insights, found something weird in whatsapp messenger, for the users who default status as “hi there, I’m using whatsapp” – who did not customized their status, will got updated. I monitored some of my friends status , even if they’re not online for few months back, the strange things is that their status often latest updated, example, status : 1hr 10 minutes ago; but this user had not online for more than 10 months! Could you believe this?! I’m glad I saw your post! Meaning I’m not a weirdo! Thanks for sharing! Hope whatsapp inc will correct this! Else the privacy gone no where!

      • Thanks for writing in details Jessie and Suroor

        Indeed, that scenario you described is very unusual and something which shouldn’t happen in WhatsApp.

        May be, those people upgraded the WhatsApp Application at that time which is leading it to show latest update time? May be?

        But yes… If such things are being experienced, its glad to have them here – Hope one day WhatsApp will read through all these and make things better…

        Keep us posted again . . Cheers 🙂


Please enter your comment!
Please enter your name here