Account theft still possible with latest WhatsApp
Recent changes to WhatsApp, which appears to have captured a position
as the popular app-based alternative to texting, have not actually
secured the system, at least for Android users. In a test by heise Security, it was found to still be possible to take
over an account unnoticed and send and receive WhatsApp messages on
behalf of that user.
Just over two months ago, WhatsApp stopped transmitting users' messages in plain text. This meant that tools such as WhatsApp Sniffer no longer worked. But within weeks it became apparent that WhatsApp's new approach was hardly any protection as the application used the device's IMEI serial number on Android and the Mac address of the Wi-Fi interface on iOS to generate passwords. As these are easily obtained items of information, the WhatsAPI PHP library was quickly adapted to make use of this information and take over an account.
Two weeks ago, though, it became apparent that WhatsApp had changed their server-side processing. Web clients that used the WhatsAPI library were unable to operate with the service. This led people to assume that WhatsApp had made the system safe, but as the company was not providing any information on its changes it appeared to be relying on security through obscurity.
That obscurity has not lasted long though. A reader of heise Security sent them a script which restored the WhatsAPI library to operation and again allowed them to hijack the account of an Android user of WhatsApp with only the phone number and IMEI code. With the previous version of WhatsAPI, it was possible to also hijack iOS users, but it was not possible to test this with the current version. It is reasonable to assume though, that other smartphone versions of WhatsApp are vulnerable in a similar way.
Although WhatsApp had not responded in the past to heise Security's media inquiries, they informed the company of the security problem and after a few days actually recieved a response from a person who is, according to media reports, one of the founders of WhatsApp. She informally asked what version of the app was concerned and was told it was Android version 2.8.7326. Since then, there's been silence though.
To help accelerate the closing of the hole, heise Security then offered WhatsApp all the details about the vulnerability and the account used with the script. Days have passed since this, however, and heise Security have not been asked by WhatsApp to send on that information.
Just over two months ago, WhatsApp stopped transmitting users' messages in plain text. This meant that tools such as WhatsApp Sniffer no longer worked. But within weeks it became apparent that WhatsApp's new approach was hardly any protection as the application used the device's IMEI serial number on Android and the Mac address of the Wi-Fi interface on iOS to generate passwords. As these are easily obtained items of information, the WhatsAPI PHP library was quickly adapted to make use of this information and take over an account.
Two weeks ago, though, it became apparent that WhatsApp had changed their server-side processing. Web clients that used the WhatsAPI library were unable to operate with the service. This led people to assume that WhatsApp had made the system safe, but as the company was not providing any information on its changes it appeared to be relying on security through obscurity.
That obscurity has not lasted long though. A reader of heise Security sent them a script which restored the WhatsAPI library to operation and again allowed them to hijack the account of an Android user of WhatsApp with only the phone number and IMEI code. With the previous version of WhatsAPI, it was possible to also hijack iOS users, but it was not possible to test this with the current version. It is reasonable to assume though, that other smartphone versions of WhatsApp are vulnerable in a similar way.
Although WhatsApp had not responded in the past to heise Security's media inquiries, they informed the company of the security problem and after a few days actually recieved a response from a person who is, according to media reports, one of the founders of WhatsApp. She informally asked what version of the app was concerned and was told it was Android version 2.8.7326. Since then, there's been silence though.
To help accelerate the closing of the hole, heise Security then offered WhatsApp all the details about the vulnerability and the account used with the script. Days have passed since this, however, and heise Security have not been asked by WhatsApp to send on that information.
SHARE THIS POST
Subscribe to:
Post Comments (Atom)
![How To Hack Whatsapp [Tutorial] - Whatsapp Sniffing App](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uah5BmotBrqhD_QWW0haWkjtzjkv8yQdtbzghWtu7g3EO6-Go4tE3Y2qm0NRGmsSdQCWXQ5sE-kyGW6wLl-P6JUMT7w1sAzpFqJt28iJWNCPM)
![WHATSAPP HACK - SPY TOOL - With PROOF! [FEBRUARY 2013] NO SURVEYS](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vr221Nq6BqhzpiiSNKp4jBnTczOSH6F0wV-9f5THgk4lKrwy-x4kEGDrgEBVDRrj5Tcmf9z5dIdxqAARpkVfZVzXCbDAxApUzQcajB8YaGNkI)
The only working whatsapp hack on the internet! head over and get it for free!
ReplyDelete**Contact 24/7**
ReplyDeleteEmail > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Selling USA FRESH SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity & results.
**PRICE**
>>2$ FOR EACH LEAD/FULLZ/PROFILE
>>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE
>All Leads are Tested & Verified.
>Serious buyers will be welcome & will give discounts.
>Fresh spammed data of USA Credit Bureau
>Good credit Scores, 700 minimum scores.
**DETAILS IN EACH LEAD/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER WITH EXPIRY DATE
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL, I.P ADDRESS
->EMPLOYEE DETAILS
->REALTIONSHIP DETAILS
->MORTGAGE INFO
->BANK ACCOUNT DETAILS
->Bulk order will be preferable
->Minimum order 25 to 30 leads/fullz
->Hope for the long term business
->You can asked for specific states & zips
->You can demand for samples if you want to test
->Data will be given with in few mins after payment received
->Payment mode BTC, PAYPAL & PERFECT MONEY
**Contact 24/7**
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040