dinsdag 24 mei 2011

Whatsapp security weaknesses

The facts of whatsapp and all the drama.

In case of an iPhone if you open the Whatsapp application the following occurs:
- The application resolves sro.whatsapp.net.
- Gets the addresses,, back from: ns1.softlayer.com
- An encrypted(!) connection is set up on port 443 with (in this case)
Unfortunately I haven’t been able to perform a MITM attack to decrypt the data send between these two senders. So I don’t know what data is transported between them
- Through this encrypted(!) connection the ip-adres of the Whatsapp-chat servers is send, in this case: Whatsapp uses the Extensible Messaging and Presence Protocol, but than it’s own version of it.
- From this moment on Whatsapp communicates via port 5222 met de Whatsapp XMPP-server And simultaneously keeps the encrypted connection open. Remarkable about this is that al the messages send via the Whatsapp application are send without encryption over port 5222. In plaintext, as stated. The data transported contains sensitive data as names and corresponding telephone numbers are transported in plaintext as well.

For sending pictures Whatsapp uses mms.whatsapp.net and this time it does send the data encrypted.

The Android, Nokia and Blackberry way.
Above is the way the Whatsapp iPhone application works. The Android, Nokia and Blackberry applications work different. In their case Whatsapp does exactly the same, only difference is that instead of port 5222 it connects to port 443. People say this way Whatsapp suggests it uses an encrypted connection, since port 443 is mainly associated with encrypted HTTP traffic. If this is the case can be questioned, since they didn’t implement this way of connecting in the iPhone application it suggests that using port 443 on these devices has a good motivated reason.

We should not forget that encrypting your messages will make the application slower, the transport of the messages slower, and will eat your battery.
Despite that it is not necessary to transfer username and telephone numbers. Instead user-id’s and phone-id’s can be used.

Concerning these security weaknesses in Whatsapp, the application had another big flaw that allows account hijacking. For details on this subject see my previous blog: http://rickey-g.blogspot.com/2011/05/hijack-someone-elses-whatsapp-with-your.html
Since it possible to spoof sms messages, Whatsapp can fix this problem only by disabling all other verification methods other than sending a verification sms themselves.

28 opmerkingen:

  1. Ik wilde het net zelf even testen en idd: de inhoud van WhatApp berichten in Wireshark. Ik vraag me al een tijdje af of het mogelijk is om een client te bouwen voor op de pc. Denk je dat dit mogelijk is? Aangezien ook de sms-verificatie is gekraakt.. Makkelijkste lijkt me om bijvoorbeeld de Android app te decompilen aangezien dit JAVA is. Let me know what you think
    - Herman

  2. Ja, dat is zeker mogelijk als je de whatsapp packets namaakt.
    Ik denk dat het ook mogelijk is om een client te maken die namens andere personen berichten kan sturen.
    Spam is dus ook een optie via whatsapp. (denk ik)

  3. het is echt nuttig informatie, maar ik wil een vraag stellen.

    voor whatsapp berichten sinds whatsapp wordt met behulp van veel ip-adressen dus hoe kan ik whatsapp berichten te detecteren? door welke parameter dat het verschilt van adder en andere applicatie?


  4. Thanks for sharing info. Keep up the good work...We hope you will visit our blog often as we discuss topics of interest to you
    WhatsApp on PC

  5. Thanks blackhatthacker@gmail.com for the great and perfect hack service you provided for me. helping check on my husband's infidelity. She helped me hack his cell phone number and I was a blessing to listen to every calls in real time and also provided his email password, redirected his whatsApp messages and I was also reading all his chats with his mistress and text messages. It was all worth the time. I know there are many people like me out there. Contact her directly via email blackhatthacker@gmail.com

  6. I am undeniably thankful to you for providing us with this invaluable related information. My spouse and I are easily grateful, quite frankly the documents we needed.
    real time file transfer

  7. Nice post,Everyone , I just thought I'd let you know you can have a talented hacker get your jobs done for you , whatever you need done , reach him on CYBERSHADOW76@GMAIL.COM , let him know Oliver told you

    - See All Photos Captured.
    - Hack facebook messages, viber chats, yahoo messenger.
    - Track Line messages and BBM messages.
    - Spy SMS text messages remotely.
    - Track Call history and Spy Call Recording.
    - Read phone contact and Track Internet Browsing History.
    - 100% Undetectable and Free Update.
    - Track whatsapp messages without rooting.
    - Track mobile phone GPS location.

  8. http://number-whatsapp.blogspot.com/

  9. so nice i like whatsapp connection details check out here some whatsapp dp attitude images i find this website though searching for some cool whatsapp images for my dp have check

  10. There's a chance you're qualified to get a Apple iPhone 7.

  11. get the best iphone covers from Caselogy.com in your budget price.......

  12. For safe weight loss, at the rate of just one 1 pound
    a week, women and men have to create a calorie deficit of 500
    calories daily, either by eating less, ramping up their exercise, or doing a mixture of both https://adamfantacy.tumblr.com/

  13. After recently issuing its third revenue warning in a year, Adidas stated on Thursday it could increase spending on advertising and marketing to about thirteen percent of sales in 2014 and to between 13 and 14 p.c of sales in 2015. vectorvines.webgarden.com

  14. Ok. If you are looking to buy phone cases then visit stylebaby.

  15. I posted this article to my favorites and intend to return to for more outstanding articles.
    It’s all too easy to read and comprehend and
    also clever post. I definitely enjoyed my first read throughout this post. Have a look at:Whatsapp Dares.

  16. Hello, this weekend is pleasant in favor of me, as this moment i am reading this wonderful educational post here at my house.discount nfl jerseys My Blog http://megaworld.beep.com/