WhatsApp security fails again

heise security is reporting that they obtained a script that can generate the password for an WhatsApp account. They did not release the full algorithm, but it is using the IMEI number to generate it (again!).

Back in September i showed how WhatsApp was using the reversed IMEI number of the the device to generate the password like this:

$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

So all they did is change the algorithm – Security by Obscurity at its best worst. It makes you wonder why WhatsApp is messing this up again, the solution is so simple: let the user set a custom password.

Leave a Reply