Originally Posted by ColaCheater

Just because of an PN I got I want to give, independent from the rest of the dev-talk here, some thoughts on security with the to-develop WhatsApp client.

Everyone of us who had a little bit intenser look at WhatsApp should have noticed some security leaks I think. Maybe even more than the one you find scattered on the web.
We may should spend some thoughts about how we could try to prevent everybody using these security issues to fake others accounts, log into existing accounts and so on.
We shouldn't be that naiv to think that WhatsApp would be more secure when we don't make these public but what I mean is just preventing that tons of script-kiddies are playing around feeling cool that they can hack WhatsApp. As said: everybody really willing to find the security isses will find them. I also think that if we wouldn't totaly crash the "security" system WhatsApp has we may be more toleranted by WhatsApp regarding the inofficial client.

Security always is a very difficult theme to talk about, especally how to proceed with found issues.
For my part there are two main reasons why I would try to kepp them "secret" in our case: We actually are using some of them to make the inofficial client work and the said prevention of script kiddies and with that maybe the friendliness of WhatsApp.
Issues we don't need to make the client work and also are minor issues we may can report to WhatsApp independent from our client-work without link to the threads here etc. (but as the history of found issues shows they seem to don't really care about them)

The difficulty I now see is that if we would write in public what these issues exactly are so that the one working on the client(s) can consider them in their clients we would make it in ways needless. But writing them just a few persons always excludes the other developers.
How the single finder of the security issues is handling it is his decision I would say but at least I woudn't write an "How-To hack WhatsApp"

For my part the issue I think everybody is aware of and is a minor one we should consider is the registration of new accounts.
With the known way we can fake accounts with numbers we don't own.
The idea of letting the user choose if an automaticly generated password should be used during the registration or if an own password should be used (make an md5 of the password and it shouldn't stand out during registration) is an option I would support.
But everything else that connects the account to an specific phone should be left by the default as the WhatsApp client is also doing it.
This way should be okay for everybody wanting an WhatsApp client for the N900/N9 I think (and it would be the easiest to use for an non-developer). There aren't more options you have to change. Maybe an option of hiding or sending the MCC/MNC would be discussible but I would just use 0's as default.


I hope that every developer currently working on WhatsApp agrees with my position, at least the main ideas.
If not it would be nice to have a small discussion about security here regarding how far we can offer options to the client without threatening the abuse by some people feeling cool because they can do things they shouldn't do...

Originally Posted by ColaCheater

The idea of letting the user choose if an automaticly generated password should be used during the registration or if an own password should be used (make an md5 of the password and it shouldn't stand out during registration) is an option I would support.
...
Maybe an option of hiding or sending the MCC/MNC would be discussible but I would just use 0's as default.

Originally Posted by teamer

actually the password could be anything (as long as your number is not yet registered with whatsapp) . but the verification code that is sent via SMS is generated on the server and theres a 'small' probability (small as 99.99999%) that it is built on some random seed which will be almost impossible to figure out . so you need to stick to the code sent by the sms verification . OR , skip all the register/validation process and just login with your username/password created by the official whatsapp (phone as username , the md5 thing as password) , simply ask the user for their phone # and imie of the phone they used to register

the verification code sent via sms is only 3 digits as i remember , so its impossible that there are some algorithm that generates it , its randomly generated and linked to your phone number (probably)

Originally Posted by lmfao0

just a quick question here if I give someone my number and imei if they bypass whatsapp and get the application installed that way would both of us be able to login at the same time? and does whatsapp save chat history would the other person gain acess to all my chat history?

Originally Posted by tgalal

Guys, this is an exact example of how our work could be misused. Please ignore all requests from lmfao0 because he/she is not going to provide you with his/her own data.

Originally Posted by tgalal

Guys, this is an exact example of how our work could be misused. Please ignore all requests from lmfao0 because he/she is not going to provide you with his/her own data.

Originally Posted by lmfao0

Not trying to misuse anything I am just curious if it is just that easy for anyone to steal anyones information. I am respoding to what was was readily posted on this website. Maybe I am making sure my own account isn't hacked or my own gf can not get into my conversations.

Originally Posted by lmfao0

I had a bet with my buddy about apps like whatsapp and tried to prove a point. Take care.
.

Originally Posted by tgalal

I guess the PM you've sent me earlier doesn't agree with those words. Does it?

Originally Posted by lmfao0

Asking about account spoofing and help?

edit one more thing, its common knowledge when you dont want a hack to be fixed you dont leak it. The best way to ask for a security fix is by leaking it. For example, remember the status update? it was only fixed after it was leaked and spread. Was fixed up within a month. By keeping the flaws a secret you arent protecting anyone just prolonging the the use because whatsapp is thinking that not that many people know about it.

I saw your post in the whatsapp thread regarding whatsapp..

I was wondering if you could help me.. I have a nokia x2 and a android phone

either one would work, but I was wondering if you were able to figure out a way in which I would be able to activate a spoofed whatsapp number without the other person knowing. I know the whatsapp code is generated within the phone first and then sent to the servers, is there any wayou you could help me intercept the message make the whatsapp servers think the code went through to get the spoofed number registered.

Your help would be greatly appreciated, I have been looking for help for months. Please help :/