This article was published on May 23, 2011

Signup goof leaves WhatsApp users open to account hijacking


Signup goof leaves WhatsApp users open to account hijacking

In the ping-happy world in which we live, faster and better communication apps are always gaining popularity. One such title, WhatsApp, has found itself in the spotlight for bringing BBM-like messaging to any phone, all that you need to do is give it your phone number.

However, according to a number of reports from Spanish and Dutch-language websites, there is a security hole in the WhatsApp authentication process that allows your messages to be read by anyone with a prepaid phone and a WiFi connection.

The story appears to have first broken over on Tweaker.net via GeenStijl. Since the break, though, more details have been found. But starting from the beginning, here’s what we have been able to find and verify:

  • The verification process consists of signing up with a phone number, then WhatsApp sends a text message to the entered number.
  • If verification is sent from a mobile device that is pre-paid, but does not have pre-paid time, the message will be stuck in a queue.
  • Due to a hole in the process, even if the text message is not received and then replied to, WhatsApp still verifies the device and allows the receipt of WhatsApp messages, as well as the display of the numbers from which the messages were sent.

The problem is two-fold. First, even though WhatsApp uses port 443 (commonly used for encrypted traffic) the information sent over the port does not appear to have any sort of security attached. Second, once that information has been transmitted, it can easily be picked up by anyone who is scouring ports over public WiFi.

What can happen should be fairly obvious, but just in case it’s not — Information sent to the programmed number can be intercepted, including voice, text and images. Worse yet, since the information comes from another number, that second number can be intercepted and then hijacked.

There is a method in place from WhatsApp to inform you when you’ve signed up for the service on a new device, unfortunately, it’s only sent to the newer of the two devices, so a hijacked user will not have a confirmation that their account has been compromised.

There is some potentially good news. According to a commenter on Dutch-language site WebWereld, this attack shouldn’t be able to work as easily with the iPhone, but it can still be done via SMS spoofing on websites. However, the whole of the iPhone side is a bit damning as well.

According to blogger Rickey Gevers, the process is a bit more convoluted, but still easy to do. Even worse, Gevers says that WhatsApp in iOS doesn’t even use port 443, but rather port 5222. Why is this dangerous? Because it’s a normal traffic port used by applications that utilize XMPP. Not familiar with XMPP? It’s used by a number of applications such as Google Talk and even Livefyre, our commenting system here on TNW.

We, as well as many other sites, have contacted WhatsApp. We’ll update this story with any more information that we find, but there have not been any replies as of the time of this writing.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with