seeing is believing

WhatsApp Status Update / Registration Bypass / Plain Text Protocols

WhatsApp Status Update / Registration Bypass / Plain Text Protocols
Posted Dec 19, 2011
Authored by G. Wagner | Site sec-consult.com

The WhatsApp tool suffers from arbitrary user status updating, registration bypass and plaintext protocol vulnerabilities.

tags | advisory, arbitrary, vulnerability, protocol
MD5 | 8dc8ce05330ec9d304a785f5e36e283f

WhatsApp Status Update / Registration Bypass / Plain Text Protocols

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20111219-1 >
=======================================================================
title: Multiple vulnerabilities in WhatsApp
product: WhatsApp (tested on Android client)
fixed version: -
impact: Medium
homepage: http://www.whatsapp.com/
found: 2011-09-09
by: G. Wagner
SEC Consult Vulnerability Lab
https://www.sec-consult.sg
=======================================================================

Vendor description:
-------------------
WhatsApp Messenger is a cross-platform mobile messaging app which
allows to exchange messages without having to pay for SMS. In addition
to basic messaging iPhone, Android, Nokia and BlackBerry WhatsApp
Messenger users can send each other images, video and audio media
messages.


Issue 1: Updating arbitrary users' status
-----------------------------------------
The WhatsApp does most of its communication through XMPP, in some cases
though the client sends HTTPS requests to interact with the server.
This is the case when the client fetches a users' status, as well as
for updating it. By providing any WhatsApp registered telephone number
and the text for the status update, it is possible to change a user's
status. This action does not require any prior authentication or
authorization (This issue was last tested 2011-12-07).

No POC will be published as no fix is available.


Issue 2: Registration bypass
----------------------------
The second issue concerns the registration process. One method to
verify a phone number is through a text message that is sent to the
phone. So if the entered phone number is not yet registered with a
specific udid a HTTP GET request is sent to /v1/code.php.

This action triggers a SMS to be sent to the phone number that is
supposed to be registered. The SMS contains a 3 digit code for example
"WhatsApp code 101". If the client receives the SMS it would send the
code to the server through /v1/register.php to verify it.

This function can be easily bruteforced and therefore an arbitrary phone
number can be registered. The vendor has implemented bruteforce
protection by locking a number after 10 tries. This step makes a
successful attack on a specific number unlikely but an attacker
bruteforcing X00 numbers can still guess X number(s) on average.


Issue 3: Usage of plain text protocols
--------------------------------------
As published in the past several times already the XMPP traffic from
WhatsApp is not encrypted. So if an attacker is able to perform a
Man-in-the-middle attack it would be possible to read for example
received or sent messages and even modify them. The response from the
vendor did not indicate that there is a concrete plan to resolve this
issue in the future.


Vendor contact timeline:
------------------------
2011-09-14: Initially contacted vendor
2011-09-14: Contact established to security team and sent advisory.
Asked for feedback and patch timeline.
2011-09-23: No response from vendor. Asked for feedback and patch
timeline.
2011-09-23: Vendor response asking for clarification
regarding issue 2.
2011-10-14: Response sent regarding issue 2.
2011-10-26: No response from vendor. Asked for feedback and patch
timeline.
2011-11-02: Feedback from vendor regarding issue 2.
2011-11-02: Asked for patch timeline of the other issues and coordinated
publication.
2011-12-07: No response from vendor. Informed vendor of last chance to
provide a patch timeline within 7 work days.
2011-12-14: No response from vendor.
2011-12-19: Public release without POC


Recommendations:
----------------
WhatsApp users are advised to confirm messages with important content
on a different communication channel.


Advisory URL:
-------------
https://www.sec-consult.sg/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Singapore Pte. Ltd.

4 Battery Road
#25-01 Bank of China Building
Singapore (049908)

Mail: research at sec-consult dot com
https://www.sec-consult.sg

EOF G. Wagner / @2011

Comments (1)

RSS Feed Subscribe to this comment feed
sawenka

WhatsApp users are advised to confirm messages with important content
on a different communication channel...eBuddy XMS.

At least, I am using this app now with my friends and like it. Have not been down since I started using it, and whatsapp seems to cause too many problems nowadays.

Comment by sawenka
2012-01-06 13:05:57 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close