SHARE
WhatsApp Messenger has Multiple Vulnerabilities, Confirmed by Security Advisors!

WhatsApp Messenger is a very popular app since the time it was launched. I love it, you love it, everyone loves it. But, WhatsApp Messenger has few vulnerabilities and the same can be exploited to change STATUS messages of other users. I tried to look inside… read further…

WhatsApp, is an awesome messaging app because, it uses your mobile number to activate services and the fun part is, you can send messages through Internet to anyone in your phone-book. The company also claimed to manage more than 1 billion messages per day, which I think – is a superb achievement and it clearly shows popularity of this app.

WhatsApp’s multiple vulnerabilities had been confirmed by Sec Consult, a Singapore based adviser for information security.

One of the hole is implemented in to a tiny utility, by a group of WhatsApp enthusiast – WhatsAppStatus.Net to be able to demonstrate issues in this app.

According to the statement mentioned on their website, they often contacted WhatsApp engineers about these issues but didn’t receive any communication in return.

What is it actually?

Sec Consult has generated a vulnerability report on WhatsApp. (See full report)

SEC Consult Vulnerability Lab Security Advisory < 20111219-1 >
  =======================================================================
  title: Multiple vulnerabilities in WhatsApp
  product: WhatsApp (tested on Android client)
  fixed version: -
  impact: Medium
  homepage: http://www.whatsapp.com/
  found: 2011-09-09
  by: G. Wagner
  SEC Consult Vulnerability Lab
  https://www.sec-consult.com/
  =======================================================================
  Vendor description:
  -------------------
  WhatsApp Messenger is a cross-platform mobile messaging app which
  allows to exchange messages without having to pay for SMS. In addition
  to basic messaging iPhone, Android, Nokia and BlackBerry WhatsApp
  Messenger users can send each other images, video and audio media
  messages.
Issue 1: Updating arbitrary users' status
  -----------------------------------------
  The WhatsApp does most of its communication through XMPP, in some cases
  though the client sends HTTPS requests to interact with the server.
  This is the case when the client fetches a users' status, as well as
  for updating it. By providing any WhatsApp registered telephone number
  and the text for the status update, it is possible to change a user's
  status. This action does not require any prior authentication or
  authorization (This issue was last tested 2011-12-07).
  No POC will be published as no fix is available.

As you can see, its been identified in September 2011 but nothing is fixed yet. May be, WhatsApp engineers are not finding it any serious.

See communication log here, we can assume to read Vendor as WhatsApp, because the document is about it.

Vendor contact timeline:
  ------------------------
  2011-09-14: Initially contacted vendor
  2011-09-14: Contact established to security team and sent advisory.
  Asked for feedback and patch timeline.
  2011-09-23: No response from vendor. Asked for feedback and patch
  timeline.
  2011-09-23: Vendor response asking for clarification
  regarding issue 2.
  2011-10-14: Response sent regarding issue 2.
  2011-10-26: No response from vendor. Asked for feedback and patch
  timeline.
  2011-11-02: Feedback from vendor regarding issue 2.
  2011-11-02: Asked for patch timeline of the other issues and coordinated
  publication.
  2011-12-07: No response from vendor. Informed vendor of last chance to
  provide a patch timeline within 7 work days.
  2011-12-14: No response from vendor.
  2011-12-19: Public release without POC

Oops, but is it real?

After receiving an email from one of our readers, Maria – I decided to give it a try.

WhatsApp’s one of the issues is that, it can be exploited to change STATUS message of any of its user, if you know his /her phone number – so I downloaded this WhatsApp Status Changer demo utility from WhatsAppStatus.net

I have the latest version of WhatsApp installed on my phone, so using this utility to change my status message, should tell me the current state.

WhatsApp Messenger has Multiple Vulnerabilities, Confirmed by Security Advisors!

But, it didn’t happen that way. The said exploit couldn’t change my status. I cross-checked with my friends on WhatsApp to know what they see as my status message. (Or may be this exploit utility needs an upgrade)

I wouldn’t like to undermine anyone because, it’s about TRUST shown by thousands of users across the world in an authority app like WhatsApp, on various smart-phone marketplaces.

Notes

I felt good for seeing this exploit not-working. But still, if the reports above are to be believed, then chances are high about – this working for some of the users at least.

Like said by the security adviser  I would too… suggest on cross-checking or using an alternate method to exchange important content through WhatsApp, just as a safety measure until we hear from WhatsApp officially.

WhatsApp and it’s team would definitely try to resolve this issue, if it’s there. I am eagerly waiting to know company’s thought on this and how they convey it to their sincere fans.

@WhatsApp… we always loved you, recommended you to our friends – now, its your turn to tell us about these issues.

Do share your experience and don’t forget to follow us on Facebook to get latest updates.