WhatsApp security disaster: the aftermath

Knock-knock WhatsApp, is anybody home? Its been almost 2 weeks now since the password generation algorithm on Android was disclosed. No comment from WhatsApp.

Spammers are already buying and selling WhatsApp accounts. As i mentioned in my previous post, Android applications can read the phones IMEI. It isn’t unlikely that some app developers who collected this information (phone number and IMEI) go rogue and sell their database to spammers.

If your account is hijacked, at this point the only way to “secure” your account is to change the phone you are using – this will re-register the phone number with a new password. Obviously, the new password will be generated in the same (unsafe) way as the old one, so avoid using WhatsApp on a public WiFi and (on Android) restrict potentially malicious apps from reading the IMEI.

WhatsApp must force all users to set a new, custom, password – fast…

Update: a new version (2.8.4) of WhatsApp was released for iOS this morning – testing now.

Leave a Reply