A few days ago the Android developer Sam Granger published an article explaining how the log-in process works on WhatsApp for Android. In his article, Granger says that the password corresponds to MD5 hash of reversed IMEI number. Citing its notation
md5(strrev(‘your-imei-goes-here’))
Granger also asserts that the same method is not applicable in the case of iOS devices, and the algorithm is not yet known.
Thus, I decided to examine whatsapp for iPhone and how it generates the password. Well, the principle is the same, but this time the MD5 hash is calculated using the mac address of WiFi interface (en0) taken twice because Apple does not allow third-party applications to access IMEI number.
Using the notation of Granger
md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)
Below I reported a portion of the ARM code that handles the password generation
The method is verifiable by simulating the log-in process from any browser. You have to compose the following request
hxxps://r.whatsapp.net/v1/exist.php?cc=COUNTRY_CODE&in=TELEPHONE_NUMBER&udid=MD5(MACMAC)
If everything is ok you should get something like this
However the GET request just helps to inform the app that we are accessing from a device previously registered.
The authentication process starts after the GET request just viewed, using the X-WAWA protocol.
Paradoxically, because of the restrictions that Apple imposed(about retrieving of IMEI number), the authentication method for iOS devices is less secure than on Android devices. The MAC address can be easily achieved on a wifi network.
Interesting, will try this out later tonight!
I let you try
Pingback: Sam Granger | WhatsApp is using IMEI numbers as passwords
provato e perfettamente funzionante …
ciao scusami tanto,ma non riesco a terminare tutto il processo,l’esito che mi da’ e sempre “fail”.
potresti specificarmi gentilmente tutto il processo?
te ne sarei grato.
grazie mille
carlo
Pingback: WhatsApp - Für Firmen unsicher mit inakzeptablen Nutzungsbedingungen › Mobile Device Management (MDM) und viel mehr - Pretioso Blog
Pingback: Whatsapp unsicher – Authentifizierungs-Lücke • Kuketz IT-Security Blog
Interesting, thanks. Any news about Windows Phone 7 device? I’ve tried with MD5(rev(IMEI)) and with MD5(MACMAC) but it fails.
Regards.
Hi,
It uses another method for windows phone. I will publish an article with details on WP asap.
Pingback: WhatsApp is WhatSucks « Subversive Bytes
Pingback: WhatsApp op iPhone eenvoudig af te luisteren via MAC-adres - iPhoneclub.nl
Pingback: WhatsApp allegedly creates overly simple passwords under iOS too
Hey dudes, I saw yesterday an another article about WhatSucks security )))
http://pastebin.com/g9UPuviz
Oh wow. They should just shut down their service until they got all this shit fixed.
Nice. Tell your friend if he would share its arm decompiler license
Pingback: Whatsapp unsicher – Authentifizierungs-Lücke « Scheibenkleister
Pingback: WhatsApp, FaceBook, Twitter, FirstLoad… – nein Danke! « Scheibenkleister
Summary of all known security issues and flaws: http://www.fileperms.org/whatsapp-is-broken-really-broken/
Pingback: Las contraseñas de WhatsApp en Android e iOS al descubierto
Pingback: How to Hack WhatsApp Messenger | Build WhatsApp API Client
Pingback: Mobile chat app used by activists has security flaws, say critics | Partners In Sublime
Pingback: Chat app used by activists has security flaws, say critics « GuruSpot: Gadget
Pingback: Chat app used by activists has security flaws, say critics | Security Digest
Pingback: Chat app used by activists has security flaws say critics | HaLaPicHaLaPic
Pingback: Chat app used by activists has security flaws, say critics | Brian L. Fontenot's Blog and Inspiration Site
Pingback: Chat app used by activists has security flaws, say critics | WestPenn Journal
Pingback: Privacy + Anonymity » WhatsApp Chat Application Insecure and Vulnerable To Simple Eavesdropping
Pingback: Chat app used by activists has security flaws, say critics | Partners In Sublime
Pingback: Chat app used by activists has security flaws, say critics | iPhone Developers
Not working for me
Pingback: Chat app used by activists has security flaws, say critics | Android Developers
it Works!
My password is incorrect, or atleast that’s what the server gives back – I hope it means at least that they fixed it or it’s not 100% vulnerable after all ?
Interesting article! Which Disassembler did you use?
ida pro
Pingback: Chat app used by activists has security flaws, say critics | N.C.I.O.
Pingback: Chat app used by activists has security flaws, say critics | Social Media, Gadget and Tech Tips and Guide
Viber next?
Pingback: WhatsApp: Motivos para não utilizar. | Blog do Renê Barbosa
Pingback: Seguridad usando Whatsapp: Lo estás haciendo mal | ResumenTecnologico.com
Seems like iOS login doesn’t work anymore. Can anyone confirm this? Regards, Ralf
Pingback: Seguridad usando Whatsapp: Lo estás haciendo mal | Blog Enfundate
Pingback: WhatsApp: Spam, inundación y robo de cuentas | Desgobierno de Chile
Does this rly work?
I used a phone number from a friend(1) with the mac adress from another friend(2) and the request says me:
wtf?
*response status ok
Pingback: [AGGIORNATO] WhatsApp Hacked - Impersoniamo un'altra persona | Over Security
Pingback: [Offizielle App] WhatsApp Seite 127 - Windows Phone 7 Apps - Windows Phone Forum
Pingback: TechMind #1: Whatsapp sotto attacco | EasyPodcast
As soon as I noticed this web site I went on reddit to share some of the love with them.
Hi there, I found your website by way of Google even as searching for a similar topic, your web site came up, it looks great. I have bookmarked to favourites|added to my bookmarks.
I will immediately grab your rss as I can not find your email subscription link or newsletter service. Do you’ve any? Kindly let me know so that I could subscribe. Thanks.
I will insert the newsletter service soon..
Pingback: WhatsApp - a Complete Security-Desaster « Nifelheim Tech-Blog
Thank you for the sensible critique. Me and my neighbor were just preparing to do a little research about this. We got a grab a book from our local library but I think I learned more clear from this post. I am very glad to see such fantastic information being shared freely out there.
You really make it seem so easy together with your presentation however I find this topic to be actually one thing which I think I’d by no means understand. It sort of feels too complicated and extremely wide for me. I am taking a look ahead on your next post, I will attempt to get the hang of it!
Keep up the excellent piece of work, I read few posts on this site and I conceive that your site is really interesting and holds sets of wonderful info.
I found something like this elsewhere and really liked. Some more of this please! Thanks
Pingback: MojoWhatsup (a Whatsapp client for webos) - Page 20 - webOS Nation Forums
Win magazine ha scopiazzato questa guida…
Si lo so….
Did the new WA iPhone 2.8.6 version change the password method?
It seems that the iOS password is still derived from the MAC or another iPhone identifier. If it was randomly generated you’d have to resend the sms code after reinstalling on the iPhone. This is not the case (i tested it). Someone with arm skillz has to decompile the newest iphone binary.
Not necessarily true. They could do this test with the MAC regardless of how they gen the password
It seems the password is now salted with the 6-digit code they send you. I’ve got 2 iphones which were using the same account. Once updated the first could login without problems while the 2nd did not work anymore. Now the interesting part :
I’ve requested the another SMS code and entered it on the 2nd phone. After entering the 2nd could login but the 1st was unable to login again. So it appears the 6-digit code is now used in order to generate the password. I also got a decrypted 2.8.10 version but didnt analyze it yet through IDA. Will keep you guys updated.
Here are the IDA (idb) files – fully decrypted for both versions.
http://www.file-upload.net/download-6860437/WhatsApp_2-8-6_IDA_idb.zip.html
http://www.file-upload.net/download-6860442/WhatsApp_2-6-10_IDA_idb.zip.html
How to open and browse it ?
This isnt true bro… the operation you did with the two phones gived the same results over the past years… anyway thanks for your decrypted versions.. stay in touch
And why did you give 2.6.10 ???? Why not 2.8.4 the most recent before Whatsapp changed the iOS password… Note: The last two versions of WhatsApp are 2.8.6 and 2.8.4. 2.8.6 is the one where the password changed occured… Please help us developpers and don’t forget that our force is unity!
I’ve added the old one just for comparism. The old one also doesnt encrypt the connect so you can still analyze packets without cracking encryption on the old client.
1) On iOS it doesn’t work anymore.
2) But what happen for fixed lines (for trusting the number, whatsapp makes a call: if the user answers the number is authorized/considered as verified)?
Which is the algorithm for authentication?
I DO NOT TRUST THE FACT that the digit code has to do with iOS password… anyway someone has a freeware rather than ida that reads idb files…?
Its not working at the momment. Has whatsapp been modified to fix this issue or am I doing somethong wrong?