Table of Contents
WhatsApp Messenger is a very popular app since the time it was launched. I love it, you love it, everyone loves it. But, WhatsApp Messenger has few vulnerabilities and the same can be exploited to change STATUS messages of other users. I tried to look inside… read further…
WhatsApp, is an awesome messaging app because, it uses your mobile number to activate services and the fun part is, you can send messages through Internet to anyone in your phone-book. The company also claimed to manage more than 1 billion messages per day, which I think – is a superb achievement and it clearly shows popularity of this app.
WhatsApp’s multiple vulnerabilities had been confirmed by Sec Consult, a Singapore based adviser for information security.
One of the hole is implemented in to a tiny utility, by a group of WhatsApp enthusiast – WhatsAppStatus.Net to be able to demonstrate issues in this app.
According to the statement mentioned on their website, they often contacted WhatsApp engineers about these issues but didn’t receive any communication in return.
What is it actually?
Sec Consult has generated a vulnerability report on WhatsApp. (See full report)
SEC Consult Vulnerability Lab Security Advisory < 20111219-1 > ======================================================================= title: Multiple vulnerabilities in WhatsApp product: WhatsApp (tested on Android client) fixed version: - impact: Medium homepage: http://www.whatsapp.com/ found: 2011-09-09 by: G. Wagner SEC Consult Vulnerability Lab https://www.sec-consult.com/ ======================================================================= Vendor description: ------------------- WhatsApp Messenger is a cross-platform mobile messaging app which allows to exchange messages without having to pay for SMS. In addition to basic messaging iPhone, Android, Nokia and BlackBerry WhatsApp Messenger users can send each other images, video and audio media messages.
Issue 1: Updating arbitrary users' status ----------------------------------------- The WhatsApp does most of its communication through XMPP, in some cases though the client sends HTTPS requests to interact with the server. This is the case when the client fetches a users' status, as well as for updating it. By providing any WhatsApp registered telephone number and the text for the status update, it is possible to change a user's status. This action does not require any prior authentication or authorization (This issue was last tested 2011-12-07). No POC will be published as no fix is available.
As you can see, its been identified in September 2011 but nothing is fixed yet. May be, WhatsApp engineers are not finding it any serious.
See communication log here, we can assume to read Vendor as WhatsApp, because the document is about it.
Vendor contact timeline: ------------------------ 2011-09-14: Initially contacted vendor 2011-09-14: Contact established to security team and sent advisory. Asked for feedback and patch timeline. 2011-09-23: No response from vendor. Asked for feedback and patch timeline. 2011-09-23: Vendor response asking for clarification regarding issue 2. 2011-10-14: Response sent regarding issue 2. 2011-10-26: No response from vendor. Asked for feedback and patch timeline. 2011-11-02: Feedback from vendor regarding issue 2. 2011-11-02: Asked for patch timeline of the other issues and coordinated publication. 2011-12-07: No response from vendor. Informed vendor of last chance to provide a patch timeline within 7 work days. 2011-12-14: No response from vendor. 2011-12-19: Public release without POC
Oops, but is it real?
After receiving an email from one of our readers, Maria – I decided to give it a try.
WhatsApp’s one of the issues is that, it can be exploited to change STATUS message of any of its user, if you know his /her phone number – so I downloaded this WhatsApp Status Changer demo utility from WhatsAppStatus.net
I have the latest version of WhatsApp installed on my phone, so using this utility to change my status message, should tell me the current state.
But, it didn’t happen that way. The said exploit couldn’t change my status. I cross-checked with my friends on WhatsApp to know what they see as my status message. (Or may be this exploit utility needs an upgrade)
I wouldn’t like to undermine anyone because, it’s about TRUST shown by thousands of users across the world in an authority app like WhatsApp, on various smart-phone marketplaces.
I felt good for seeing this exploit not-working. But still, if the reports above are to be believed, then chances are high about – this working for some of the users at least.
Like said by the security adviser I would too… suggest on cross-checking or using an alternate method to exchange important content through WhatsApp, just as a safety measure until we hear from WhatsApp officially.
WhatsApp and it’s team would definitely try to resolve this issue, if it’s there. I am eagerly waiting to know company’s thought on this and how they convey it to their sincere fans.
@WhatsApp… we always loved you, recommended you to our friends – now, its your turn to tell us about these issues.
Do share your experience and don’t forget to follow us on Facebook to get latest updates.