Whatsapp security hole allows changing status message of other users (opens in new tab)

(whatsappstatus.net)

57 pointssssparkkk14y ago23 comments

23 comments

20 comments · 12 top-level

fredley14y ago· 5 in thread

As a frequent WhatsApp user, I must say I find this more amusing than anything. I've never really understood what the status feature is for anyway.

ch0wn14y ago

As a frequent WhatsApp user I don't find this amusing at all. If this is how the engineers handle security issues, it might be time to convince my friends to switch to another messenger. It's not like there was no competition in that field.

mike-cardwell14y ago

Kik Messenger seems to have been doing very well recently.

1 more reply

jng14y ago

The initial design of WhatsApp was as an app to share your status. Only later did they add messaging. Which is the functionality that actually made them take off. But they've never removed the statua part, even though nobody uses it.

982n38914y ago

Of course, these security holes are not so hilarious to WhatsApp users who think their chats are encrypted on route to WhatsApp's servers :)

msh14y ago

Umm, I think a malicious user could write things in your status that could have negative consequences for you.

BuddhaSource14y ago· 2 in thread

Is this a Fraud site? Not working for me.

gglanzani14y ago

Ain't working for me either, but I've read report of people who were able to to that.

Too bad :)

kmfrk14y ago

Mikko Hypponen reblogged a tweet mentioning it, so it has to be legit. :)

sssparkkkOP14y ago· 1 in thread

Some more information about this can be found here: http://packetstormsecurity.org/files/108010/SA-20111219-1.tx...

yread14y ago

Wow it seems there is no security at all:

> By providing any WhatsApp registered telephone number and the text for the status update, it is possible to change a user's status. This action does not require any prior authentication or authorization

> (on registration) The vendor has implemented bruteforce protection by locking a number after 10 tries. This step makes a successful attack on a specific number unlikely but an attacker bruteforcing X00 numbers can still guess X number(s) on average.

> As published in the past several times already the XMPP traffic from WhatsApp is not encrypted.

And they are planning to charge money for it?

edit: perhaps even worse is their response to the security vulnerability seen in the timeline - they knew about the bug since 09-14

alex114y ago

The site says the hole has been patched but I was just able to change my own status with this:

  curl -A "WhatsApp/2.6.7 iPhone_OS/5.0.1 Device/iPhone_4" --header "Accept-Language: en-us" --header "Accept-Encoding: gzip, deflate" --header "Connection: keep-alive" -d "cc=1&me=%2B1{10_DIGIT_NUMBER}&s={URL_ENCODED_STATUS}" https://s.whatsapp.net/client/iphone/u.php

It did take some time to show up under my name, even after restarting the app.

chintan10014y ago

Did anybody have any success with changing someone else's status with this? If so, please post.

I got the success message on site and restarted the app too on iPhone by killing it from the multitasking bar but my friend's status is still unchanged.

Makes me doubt it is a fraud site as BuddhaSource mentioned.

steipete14y ago

It's not changing status anymore, did they already block the site's IP?

richardburton14y ago

I could not change mine. If the leak is plugged would you be willing to explain where the hole is?

jaipilot74714y ago

What would the legal liabilities of this site be?

dopp14y ago

dumb question - how exactly can I try this? I went to the site, but didn't find relevant information.

thelicx14y ago

Not working for me.

beerglass14y ago

Ridiculous!

startupcto14y ago

There's a few ways that they can patch this. I'm assuming that there's some sort of auth process in place for their http calls and this could simply be a case where this particular endpoint missed the auth.

Or they're simply blocking the whatsappstatus's ip and a fix would actually require both client side and server side changes.

But honestly its just a messaging app and how many people really cares if "let's go grab a beer" is encrypted or not.

j / k navigate · click thread line to collapse