dinsdag 24 mei 2011

Whatsapp security weaknesses

The facts of whatsapp and all the drama.

In case of an iPhone if you open the Whatsapp application the following occurs:
- The application resolves sro.whatsapp.net.
- Gets the addresses,, back from: ns1.softlayer.com
- An encrypted(!) connection is set up on port 443 with (in this case)
Unfortunately I haven’t been able to perform a MITM attack to decrypt the data send between these two senders. So I don’t know what data is transported between them
- Through this encrypted(!) connection the ip-adres of the Whatsapp-chat servers is send, in this case: Whatsapp uses the Extensible Messaging and Presence Protocol, but than it’s own version of it.
- From this moment on Whatsapp communicates via port 5222 met de Whatsapp XMPP-server And simultaneously keeps the encrypted connection open. Remarkable about this is that al the messages send via the Whatsapp application are send without encryption over port 5222. In plaintext, as stated. The data transported contains sensitive data as names and corresponding telephone numbers are transported in plaintext as well.

For sending pictures Whatsapp uses mms.whatsapp.net and this time it does send the data encrypted.

The Android, Nokia and Blackberry way.
Above is the way the Whatsapp iPhone application works. The Android, Nokia and Blackberry applications work different. In their case Whatsapp does exactly the same, only difference is that instead of port 5222 it connects to port 443. People say this way Whatsapp suggests it uses an encrypted connection, since port 443 is mainly associated with encrypted HTTP traffic. If this is the case can be questioned, since they didn’t implement this way of connecting in the iPhone application it suggests that using port 443 on these devices has a good motivated reason.

We should not forget that encrypting your messages will make the application slower, the transport of the messages slower, and will eat your battery.
Despite that it is not necessary to transfer username and telephone numbers. Instead user-id’s and phone-id’s can be used.

Concerning these security weaknesses in Whatsapp, the application had another big flaw that allows account hijacking. For details on this subject see my previous blog: http://rickey-g.blogspot.com/2011/05/hijack-someone-elses-whatsapp-with-your.html
Since it possible to spoof sms messages, Whatsapp can fix this problem only by disabling all other verification methods other than sending a verification sms themselves.

41 opmerkingen:

  1. Ik wilde het net zelf even testen en idd: de inhoud van WhatApp berichten in Wireshark. Ik vraag me al een tijdje af of het mogelijk is om een client te bouwen voor op de pc. Denk je dat dit mogelijk is? Aangezien ook de sms-verificatie is gekraakt.. Makkelijkste lijkt me om bijvoorbeeld de Android app te decompilen aangezien dit JAVA is. Let me know what you think
    - Herman

  2. Ja, dat is zeker mogelijk als je de whatsapp packets namaakt.
    Ik denk dat het ook mogelijk is om een client te maken die namens andere personen berichten kan sturen.
    Spam is dus ook een optie via whatsapp. (denk ik)

  3. het is echt nuttig informatie, maar ik wil een vraag stellen.

    voor whatsapp berichten sinds whatsapp wordt met behulp van veel ip-adressen dus hoe kan ik whatsapp berichten te detecteren? door welke parameter dat het verschilt van adder en andere applicatie?


  4. Thanks for sharing info. Keep up the good work...We hope you will visit our blog often as we discuss topics of interest to you
    WhatsApp on PC

  5. Thanks blackhatthacker@gmail.com for the great and perfect hack service you provided for me. helping check on my husband's infidelity. She helped me hack his cell phone number and I was a blessing to listen to every calls in real time and also provided his email password, redirected his whatsApp messages and I was also reading all his chats with his mistress and text messages. It was all worth the time. I know there are many people like me out there. Contact her directly via email blackhatthacker@gmail.com

  6. I am undeniably thankful to you for providing us with this invaluable related information. My spouse and I are easily grateful, quite frankly the documents we needed.
    real time file transfer

  7. Nice post,Everyone , I just thought I'd let you know you can have a talented hacker get your jobs done for you , whatever you need done , reach him on CYBERSHADOW76@GMAIL.COM , let him know Oliver told you

    - See All Photos Captured.
    - Hack facebook messages, viber chats, yahoo messenger.
    - Track Line messages and BBM messages.
    - Spy SMS text messages remotely.
    - Track Call history and Spy Call Recording.
    - Read phone contact and Track Internet Browsing History.
    - 100% Undetectable and Free Update.
    - Track whatsapp messages without rooting.
    - Track mobile phone GPS location.

  8. http://number-whatsapp.blogspot.com/

  9. so nice i like whatsapp connection details check out here some whatsapp dp attitude images i find this website though searching for some cool whatsapp images for my dp have check

  10. There's a chance you're qualified to get a Apple iPhone 7.

  11. get the best iphone covers from Caselogy.com in your budget price.......

  12. For safe weight loss, at the rate of just one 1 pound
    a week, women and men have to create a calorie deficit of 500
    calories daily, either by eating less, ramping up their exercise, or doing a mixture of both https://adamfantacy.tumblr.com/

  13. After recently issuing its third revenue warning in a year, Adidas stated on Thursday it could increase spending on advertising and marketing to about thirteen percent of sales in 2014 and to between 13 and 14 p.c of sales in 2015. vectorvines.webgarden.com

  14. Ok. If you are looking to buy phone cases then visit stylebaby.

  15. I posted this article to my favorites and intend to return to for more outstanding articles.
    It’s all too easy to read and comprehend and
    also clever post. I definitely enjoyed my first read throughout this post. Have a look at:Whatsapp Dares.

  16. Hello, this weekend is pleasant in favor of me, as this moment i am reading this wonderful educational post here at my house.discount nfl jerseys My Blog http://megaworld.beep.com/

  17. I’ve been absent for some time, but now I remember why I used to love this blog. Thanks , I will try and check back more often. How frequently you update your website? My Blog http://http://mclubarena.wallinside.com

  18. Shree Ram Techno Solutions Provides CCTV Camera, Security Camera, Wireless Security, Attendance System, Access Control System, DVR, NVR, Spy Camera, Fire Alarm, Security Alarm, PCI, IP Network Camera, Dome Camera, IR Camera, CCTV, Camera Price, HIKVISION, SCATI, Time Machine

    CCTV CAmera in jaipur at Rajasthan
    Home security system in jaipur
    Wireless Home Security System in jaipur
    Realtime attendance machine in jaipur
    cctv camera dealer in jaipur
    Hikvision DVR in jaipur at Rajasthan
    security system solutions in jaipur

  19. Programs like Auto - CAD work best about the Dell Precision M6400 that Intel Quad-Core and, an extraordinary, 16GB RAM. With a wealthy blend of creativity and innovation it has come with such immensely popular computers and laptop products. Best lightweight pc laptop Laptops will be in a huge demand today and nobody wants to get a full size desktop. However, the most notable 10 accredited colleges for fast degrees provide students with options to earn accelerated degrees quicker than traditional degrees. When I asked to myself “where can I sell my laptop and acquire some cash. My Blog http://filmyroll.webpaper.co/

  20. Useful article for people who do not understand anything in modern technology and software. It is very simple and affordable even for young children. Who cares, I found a software for tracking the phone http://copy9.com/whatsapp-hack/. Very useful for parents who do not believe their children and want to know the truth.

  21. Just WoW! Thanks for sharing this awesome post. Will you please guide me to write more frequently on my blog about whatsapp dp and whatsapp status collection.

  22. Thanks a lot dear. Happy New Year 2018 in advance. Have you any collection regarding happy new year 2018 images or love status, If yes, then do let me know please. :)

  23. I want to appreciate and sincerely thank blackhatthacker@gmail.com for her service...She saved me from the lies of my cheating husband. She was able to hack his whatssp messages, listen to every call he either made or receive, hacked his email passwords and Facebook ...i know there are lots of people out there looking for proof and evidence about one thing or the other . Be open and real with her so she can even be at the best of her service to you. Do contact her by email on blackhatthacker@gmail.com