Multiple vulnerabilities in WhatsApp

SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >

=======================================================================

title: Multiple vulnerabilities in WhatsApp

product: WhatsApp (tested on Android client)

fixed version: -

impact: Medium

homepage: www.whatsapp.com

found: 2011-09-09

by: G. Wagner

SEC Consult Vulnerability Lab

www.sec-consult.sg

=======================================================================

 

Vendor description:

-------------------

WhatsApp Messenger is a cross-platform mobile messaging app which allows to

exchange messages without having to pay for SMS. In addition to basic

messaging iPhone, Android, Nokia and BlackBerry WhatsApp Messenger users can

send each other images, video and audio media messages.

 

 

Issue 1: Updating arbitrary users' status

-----------------------------------------

The WhatsApp does most of its communication through XMPP, in some cases though

the client sends HTTPS requests to interact with the server. This is the case

when the client fetches a users' status, as well as for updating it. By

providing any WhatsApp registered telephone number and the text for the status

update, it is possible to change a user's status. This action does not require

any prior authentication or authorization (This issue was last tested

2011-12-07).

 

No POC will be published as no fix is available.

 

 

Issue 2: Registration bypass

----------------------------

The second issue concerns the registration process. One method to verify a

phone number is through a text message that is sent to the phone. So if the

entered phone number is not yet registered with a specific udid a HTTP GET

request is sent to /v1/code.php.

 

This action triggers a SMS to be sent to the phone number that is supposed to

be registered. The SMS contains a 3 digit code for example "WhatsApp code

101". If the client receives the SMS it would send the code to the server

through /v1/register.php to verify it.

 

This function can be easily bruteforced and therefore an arbitrary phone

number can be registered. The vendor has implemented bruteforce protection by

locking a number after 10 tries. This step makes a successful attack on a

specific number unlikely but an attacker bruteforcing X00 numbers can still

guess X number(s) on average.

 

 

Issue 3: Usage of plain text protocols

--------------------------------------

As published in the past several times already the XMPP traffic from WhatsApp

is not encrypted. So if an attacker is able to perform a Man-in-the-middle

attack it would be possible to read for example received or sent messages and

even modify them. The response from the vendor did not indicate that there is

a concrete plan to resolve this issue in the future.

 

 

Vendor contact timeline:

------------------------

2011-09-14: Initially contacted vendor

2011-09-14: Contact established to security team and sent advisory. Asked for

feedback and patch timeline.

2011-09-23: No response from vendor. Asked for feedback and patch timeline.

2011-09-23: Vendor response asking for clarification regarding issue 2.

2011-10-14: Response sent regarding issue 2.

2011-10-26: No response from vendor. Asked for feedback and patch timeline.

2011-11-02: Feedback from vendor regarding issue 2.

2011-11-02: Asked for patch timeline of the other issues and coordinated

publication.

2011-12-07: No response from vendor. Informed vendor of last chance to provide

a patch timeline within 7 work days.

2011-12-14: No response from vendor.

2011-12-19: Public release without POC

 

 

Recommendations:

----------------

WhatsApp users are advised to confirm messages with important content on a

different communication channel.

 

 

Advisory URL:

-------------

www.sec-consult.sg/advisories.html

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Singapore Pte. Ltd.

 

4 Battery Road

#25-01 Bank of China Building

Singapore (049908)

 

Mail: research at sec-consult dot com

www.sec-consult.sg

 

EOF G. Wagner / @2011