dinsdag 24 mei 2011

Whatsapp security weaknesses

The facts of whatsapp and all the drama.

In case of an iPhone if you open the Whatsapp application the following occurs:
- The application resolves sro.whatsapp.net.
- Gets the addresses 173.192.219.141, 173.192.219.149, 173.192.219.140 back from: ns1.softlayer.com
- An encrypted(!) connection is set up on port 443 with (in this case) 173.192.219.141.
Unfortunately I haven’t been able to perform a MITM attack to decrypt the data send between these two senders. So I don’t know what data is transported between them
- Through this encrypted(!) connection the ip-adres of the Whatsapp-chat servers is send, in this case: 50.22.227.220. Whatsapp uses the Extensible Messaging and Presence Protocol, but than it’s own version of it.
- From this moment on Whatsapp communicates via port 5222 met de Whatsapp XMPP-server 50.22.227.220. And simultaneously keeps the encrypted connection open. Remarkable about this is that al the messages send via the Whatsapp application are send without encryption over port 5222. In plaintext, as stated. The data transported contains sensitive data as names and corresponding telephone numbers are transported in plaintext as well.

For sending pictures Whatsapp uses mms.whatsapp.net and this time it does send the data encrypted.

The Android, Nokia and Blackberry way.
Above is the way the Whatsapp iPhone application works. The Android, Nokia and Blackberry applications work different. In their case Whatsapp does exactly the same, only difference is that instead of port 5222 it connects to port 443. People say this way Whatsapp suggests it uses an encrypted connection, since port 443 is mainly associated with encrypted HTTP traffic. If this is the case can be questioned, since they didn’t implement this way of connecting in the iPhone application it suggests that using port 443 on these devices has a good motivated reason.

We should not forget that encrypting your messages will make the application slower, the transport of the messages slower, and will eat your battery.
Despite that it is not necessary to transfer username and telephone numbers. Instead user-id’s and phone-id’s can be used.

Concerning these security weaknesses in Whatsapp, the application had another big flaw that allows account hijacking. For details on this subject see my previous blog: http://rickey-g.blogspot.com/2011/05/hijack-someone-elses-whatsapp-with-your.html
Since it possible to spoof sms messages, Whatsapp can fix this problem only by disabling all other verification methods other than sending a verification sms themselves.

4 opmerkingen:

  1. Ik wilde het net zelf even testen en idd: de inhoud van WhatApp berichten in Wireshark. Ik vraag me al een tijdje af of het mogelijk is om een client te bouwen voor op de pc. Denk je dat dit mogelijk is? Aangezien ook de sms-verificatie is gekraakt.. Makkelijkste lijkt me om bijvoorbeeld de Android app te decompilen aangezien dit JAVA is. Let me know what you think
    - Herman

    BeantwoordenVerwijderen
  2. Ja, dat is zeker mogelijk als je de whatsapp packets namaakt.
    Ik denk dat het ook mogelijk is om een client te maken die namens andere personen berichten kan sturen.
    Spam is dus ook een optie via whatsapp. (denk ik)

    BeantwoordenVerwijderen
  3. het is echt nuttig informatie, maar ik wil een vraag stellen.

    voor whatsapp berichten sinds whatsapp wordt met behulp van veel ip-adressen dus hoe kan ik whatsapp berichten te detecteren? door welke parameter dat het verschilt van adder en andere applicatie?

    dank

    BeantwoordenVerwijderen