WhatsApp for Android could be vulnerable to hijacking due to IMEI-based password

WhatsApp for Android could be vulnerable to hijacking due to IMEI-based password

Given this week’s leak of over 1 million unique Apple device IDs, mobile security has been on a lot of minds. One web developer is now calling attention to a possible security risk in the popular WhatsApp messaging service on Android that could result in messages being intercepted or spoofed.

WhatsApp has become immensely popular – it recently hit a new record of 10 billion messages sent and received in a single day, but that popularity could make it a prime target for hackers and scammers.

Sam Granger (via Hacker News) notes that WhatsApp for Android is insecure because it uses a phone number for a username and a modified version of the IMEI number (inverted with an MD5 cryptographic hash, in case you were wondering) as a password. IMEI, or International Mobile Equipment Identity, is a number used for identifying certain types of phones.

The iPhone version of the app does not appear to have the flaw. Granger said he didn’t know whether the Windows Mobile and BlackBerry versions use the same password generation method.

Granger’s post isn’t particularly new information, as the WhatsApp Wikipedia entry already says that the service uses the phone number and IMEI. He does, however, point out that there are several “rather simple” ways to obtain both pieces of information.

“Is this already happening? It wouldn’t surprise me if it is,” he wrote. “I’ve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and I’m not even a “hardcore hacker.””

Granger concluded by saying that he loves WhatsApp, but feel it’s “far from “secure.””

TNW has contacted WhatsApp about the issue. So far, they’ve yet to respond, but we’ll update this post if they do.

This isn’t the first time that WhatsApp has faced criticism over security issues. In May 2011, a security hole was discovered that allowed accounts to be hijacked.

Meanwhile, some scammers are even using WhatsApp’s name (and popularity) to trick people. Last month, we noticed a number of Facebook apps trying to pass themselves off as the service.

Image credit: stock.xchng

Read next: The Social Radio's web platform is now open, lets PC users listen to their tweets

Pssst, hey you!

Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.