WhatsApp is using IMEI numbers as passwords_______
It’s unfortunate that so many apps use UDID’s to identify users since it’s extremely insecure.
This brings me to WhatsApp, a free messaging service, used by millions of people. Their system runs on a modified version of XMPP (Extensible Messaging and Presence Protocol). There is nothing wrong with using XMPP, but there is a problem in how WhatsApp handle authentication.
If you installed WhatsApp on an Android device for example, your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).
md5(strrev(‘your-imei-goes-here’))
When I say Android, I don’t exclusively mean Android. It just happens to be a different case when it comes to iOS. Windows Mobile, Blackberry etc… might very well have the same password method. It actually wouldn’t surprise me. WhatsApp on the iPhone might be using your IMEI too, or maybe UDID’s to generate passwords, but not the exact same method. If I do find out, I will update this post.
Then comes the username. It’s your phone number (doh).
To obtain both these values is rather simple.
Examples:
1. You have direct access to your victims phone, in which case you dial & call *#06# (in most cases) and you’ve got their IMEI number.
2. You develop an app that silently sends the victims IMEI number to your server in the background (many applications do this already) & phone number, either by letting them fill it in themselves in a registration part of your app, or also silently (this method however isn’t always airtight but works in a lot of cases).
3. A hacker leaks a database/file with IMEI numbers with associated phone numbers, ding ding ding!
4. A spammer buys this information from an app developer.
Time for some Android code examples..
Android code example to retrieve IMEI number:
TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
String device_id = tm.getDeviceId();
To retrieve the victims phone number:
TelephonyManager tMgr =(TelephonyManager)mAppContext.getSystemService(Context.TELEPHONY_SERVICE);
mPhoneNumber = tMgr.getLine1Number();
You can also retrieve the users voicemail number too just in case:
TelephonyManager.getCompleteVoiceMailNumber()
Using this information allows you to intercept and send messages from your victims account.
This could mess up peoples lives if you use their account to send a message to someone they know, with any kind of f’ed up message. This could cause huge problems for your victim, especially if the receiver of the message is mentally unstable. It might sound dramatic, but it’s feasible.
You could intercept naked photos & other sensitive personal messages.
Alternatively, you could just spam the hell out of WhatsApp, especially if you have a nice big database.
Is this already happening? It wouldn’t surprise me if it is. I’ve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and I’m not even a “hardcore hacker”.
Do you use WhatsApp? Think twice before you send a private WhatsApp message. Think twice when you receive a messed up WhatsApp message. You don’t know what’s going on in the background.
And WhatsApp, if you are reading this, get your act together. People expect a secure system when it comes to personal messaging. And with the amount of customers you have, you should be taking better security measures. I sincerely hope you fix this issue soon.
The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
Ps. Don’t get me wrong, I love WhatsApp. But it’s far from “secure”.
Youг initial step іs tο etermine the style оf the bed.
ReplyDeleteThey are essential foг multiple litter breeds аnd
can be reused. Thіs іs ɑ dependable, fixed location tɦat we cann return to all week to help remind us of our schedules.
Look at my web page :: Bed Plans
BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A
ReplyDeleteGOOD LIFE.....
Hack and take money directly from any ATM Machine Vault with the use of ATM
Programmed Card which runs in automatic mode. email (
luckyhackers98@gmail.com) for how to get it and its cost
. ..........
EXPLANATION OF HOW THESE CARD WORKS..........
You just slot in these card into any ATM Machine and it will automatically
bring up a MENU of 1st VAULT 3,000$, 2nd VAULT 5,000$ or in any currency,
RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it
will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click
on others and type in the amount you wish to withdraw from the ATM and you
have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF
CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE
SELECTED VAULT. email (luckyhackers98@gmail.com). ... ...
Thanks
BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A
ReplyDeleteGOOD LIFE.....
Hack and take money directly from any ATM Machine Vault with the use of ATM
Programmed Card which runs in automatic mode. email (
luckyhackers98@gmail.com) for how to get it and its cost
. ..........
EXPLANATION OF HOW THESE CARD WORKS..........
You just slot in these card into any ATM Machine and it will automatically
bring up a MENU of 1st VAULT 3,000$, 2nd VAULT 5,000$ or in any currency,
RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it
will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click
on others and type in the amount you wish to withdraw from the ATM and you
have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF
CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE
SELECTED VAULT. email (luckyhackers98@gmail.com). ... ...
Thanks