isoeh.com https://www.isoeh.com/tutorialdetails/MTg2/whatsapp-hacking-vector-analysis-and-security-lrm-isoeh

Whatsapp hacking vector analysis and security : (#isoeh)

Even after 3 time security change, whatsapp is still prone to getting hacked!

Key facts:

~WhatsApp prior to August 2012 lacked encryption in their messages!

~Everything was sent in plaintext which could be easily intercepted and read.

~WhatsApp on Wi-Fi, allowed hackers to intercept the airwaves and read what you were sending and receiving.

~"WhatsAppSniffer" was designed to be able to intercept these messages easily.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~1st security change... (failure)~

WhatsApp implemented encryption by using your IMEI number or your MAC address as a basis for theircryptographic keys.

This was not appreciable since mac and imei can be easily deciphered..

__________________________________________~Game masquerading as sniffer~

An app game (Ballon Pop2) was recently in the news which secretly stole WhatsApp conversations once installedin phone

BalloonPop2 was originally offered in Google Play, but was taken down recently for obvious security concerns.

A screenshot of the game is given below. Please be beware of this game!

_________________________________________~Attack vector~

->||The app wa 100% a game ,but in stealth it was for hacking the phone.

->||Once executed, It gains access to a phone’s WhatsApp account and the serial number of the SIM card, thencopies the folder containing profile pictures.

->||Conversations gets uploaded to the developer’s Whatsapp Copy website, whereby using the cell phonenumber of any individual with this app installed, others can download their conversations for a small charge.

Even post removal from google play , this game is still available for download

(http://gamesapk.net/balloon_burst.apk_for_android.html#.U_7TRMWSyNA)

DON'T DOWNLOAD THOUGH!!!_____________________________________________________~Security changes rolled out and proposed ~“

1) Secure encryption to the client

If an attacker intercepts the messages at WhatsApp’s server,results wont be obtained.

2)Anonymity to the conversation

Introduction of fake/anonymous accounts and intermediate communication nodes are introduced to ensure nodirect communication between the mobile phone and the server takes place.

3)Modifying routing of all traffic and messages to XMPP server.

Post routing, the original WhatsApp servers will be only as dummy to send fake data.

_____________________________________________________

Using of custom encryption algorithm will be added.

Then the plaintext messages will be sent to the XMPP server.

Format:

Data: < recipient > ? < whatsapp_message_ id > ? < message > .

~Working method:~

The program replaces every character in the original text with wildcard characters

Result:

~Original message never passes through WhatsApp’s servers.

~Recipient receives a message full of wildcard characters, queries the XMPP server, and replaces it with theoriginal text

This implementation proposed by researchers will make whatsapp hacking almost extinct and impossible.

by- Samrat Das www.facebook.com/dkdmd18