Researchers Warn of WhatsApp Security Flaws
It's easy for an attacker to take over a user's account, and there's no way to recover an account once it's been compromised.
Security researchers are warning that the messaging app WhatsApp is easily hackable.
"Anyone using WhatsApp on a public Wi-Fi network risks having their data sniffed and their account used to send and receive messages," The H Security reports. "Once hacked, there is no way to restore account security -- attackers will be able to continue to use the hacked account at their discretion."
The issue, according to The H Security, is that the app uses an internally generated password to log onto the server, and that password is generated on Android devices from the device's IMEI number, and on iOS devices from the device's MAC address. "The problem with this is that the information is anything other than secret -- the IMEI can often be found on stickers inside of Android phones (usually under the battery) and can also be obtained using a shortcut key combination or by any app," the article states. "Sniffing this data is even easier when it comes to devices running iOS -- the MAC address is visible to anyone within range of the Wi-Fi network being used."
"Once this data is obtained, taking over an account is not difficult at all," writes Softpedia's Eduard Kovacs. "The attacker enters the MAC or the IMEI into a script which allows him to send arbitrary messages from the compromised account. ... And there’s another problem. Once the account is compromised, there is no way to block the attacker from accessing it once again because the password in question cannot be changed."
"Given how popular the app is, any security issues could have serious consequences," writes CNET News' Elinor Mills. "'There are lots of activists who use WhatsApp b/c they think it is a secure way to chat from mobile. They're so wrong,' tweeted Christopher Soghoian, principal technologist and a senior policy analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union."