The cross-platform mobile messaging application WhatsApp appears to be exposing its users due to the lack of proper security measures. Experts discovered a number of vulnerabilities which allow attackers to hijack accounts by using freely available pieces of software.
Researchers from German company heise Security – cited by The H Security – reveal that the app uses an internally generated password to log on to the server.
This password is generated based on the device’s Wi-Fi MAC on iOS devices and based on the phone’s IMEI on Android machines. The problem is that the IMEIs and the MACs are not that difficult to obtain.
The IMEI can be retrieved by using special apps, by typing the special key combination, and by checking the sticker that’s placed under the battery. In the case of iPhones it’s even easier because the MAC can be determined by anyone who’s in the range of the Wi-Fi network utilized by the victim.
Once this data is obtained, taking over an account is not difficult at all. The attacker enters the MAC or the IMEI into a script which allows him to send arbitrary messages from the compromised account.
The cleverly designed script can also be used for conversations made from the victim’s account and everything occurs without the account owner's knowledge. According to experts, these potentially malicious operations are performed with the help of the applications PHP-based API, WhatsAPI.
And there’s another problem. Once the account is compromised, there is no way to block the attacker from accessing it once again because the password in question cannot be changed.
Furthermore, an anonymous independent security analyst claims to have found issues in the way the application encrypts messages and described his findings in a Pastebin post.
Now, it remains to be seen how WhatsApp will react to these findings. Hopefully, they’ll act on addressing these issues as soon as possible.