Given this weekâs leak of over 1 million unique Apple device IDs, mobile security has been on a lot of minds. One web developer is now calling attention to a possible security risk in the popular WhatsApp messaging service on Android that could result in messages being intercepted or spoofed.
WhatsApp has become immensely popular â it recently hit a new record of 10 billion messages sent and received in a single day, but that popularity could make it a prime target for hackers and scammers.
Sam Granger (via Hacker News) notes that WhatsApp for Android is insecure because it uses a phone number for a username and a modified version of the IMEI number (inverted with an MD5 cryptographic hash, in case you were wondering) as a password. IMEI, or International Mobile Equipment Identity, is a number used for identifying certain types of phones.
The iPhone version of the app does not appear to have the flaw. Granger said he didnât know whether the Windows Mobile and BlackBerry versions use the same password generation method.
Grangerâs post isnât particularly new information, as the WhatsApp Wikipedia entry already says that the service uses the phone number and IMEI. He does, however, point out that there are several ârather simpleâ ways to obtain both pieces of information.
âIs this already happening? It wouldnât surprise me if it is,â he wrote. âIâve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and Iâm not even a âhardcore hacker.ââ
Granger concluded by saying that he loves WhatsApp, but feel itâs âfar from âsecure.ââ
TNW has contacted WhatsApp about the issue. So far, theyâve yet to respond, but weâll update this post if they do.
Meanwhile, some scammers are even using WhatsAppâs name (and popularity) to trick people. Last month, we noticed a number of Facebook apps trying to pass themselves off as the service.
Image credit: stock.xchng
Get the TNW newsletter
Get the most important tech news in your inbox each week.