WhatsApp Uses a Potentially Insecure Authentication Mechanism

WhatsApp has been criticized earlier for lax security on multiple occasions. In May last year, WhatsApp accounts could be hijacked without the user knowing, and another time in January this year, the status of a WhatsApp user could be changed remotely. Both these vulnerabilities were fixed soon. However, a concern that lived on was that WhatsApp sends communications in plaintext. This vulnerability was found in May 2011 and it was not fixed until May this year. However, the most insecure vulnerability on WhatsApp is simply in its authentication mechanism.


The Wikipedia page for WhatsApp outlines its Technical Specifics as,

WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP).Upon installation, it creates a user account using one’s phone number as username (Jabber ID: [phone number]@s.whatsapp.net) and an MD5-hashed, reversed-version of the phone’s IMEI as password.

An interesting analysis by Sam Granger points out how easy it is to leverage this information, and actually get access to a user account. Who would have thought that WhatsApp uses exactly the same mechanism as written on the Wikipedia page, no salting of the hash, no obfuscated MD5 variant; in short, no deviations from what is written down!

WhatsApp has to get its security straight. It is under constant criticism for over a year now, and it is time WhatsApp is the first to make a security related move, rather than someone pointing out flaws and it going ahead and patching them.

For an intriguing discussion on this topic, read this Hacker News thread.

Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.

  • Chinmoy ,I didn’t know that whatsapp was using plain text authentication.Thanks for sharing