As I showed in the previous post it is possible to use WhatsApp service from Linux through a little client in Python. In that post I showed how to register a phone number to obtain a password then logging in and using WhatsApp. The interesting part is if whether is possible or not getting someone’s password and use his “user”. Well the answer is YES and its easier than what I thought it would be. The method I will describe was tested in Android and iPhone. Blackberry and Symbian weren’t successful.
First we must get the password for a user already registered and currently using WhatsApp, as it uses an MD5 hash of the IMEI/MAC (depending the OS) to generate the password; by only having any of them and the phone number we may use the user’s identity.
For this OS WhatsApp uses a MD5 hash from de reversed IMEI. This in Python is done easily:
import hashlib imei = #Aca va el imei revimei = imei[::-1] #We reverse the string print str(hashlib.md5(revimei).hexdigest())
To corroborate the wash we have an api which will return whether is correct or not the given information.
country= The two digit country code
number= The cellphone number without the country code. In the case of Argentina (Buenos Aires) 11xxxxyyy
hash= The hash we previously got
Once we validated the hash is moment to use it in the password field in the configuration file (remember?). Becaus of the implementation of yowsup it is necessary to encode the hash. So again in Python :
import base64 hash= #The verified hash print base64.b64encode(hash)
The iPhone case is very similar to Android’s with the difference instead of using the IMEI it uses de MAC (typed twice):
import hashlib mac = #Here goes the MAC print str(hashlib.md5(mac+mac).hexdigest()) # Note if mac ="AA:BB:CC" mac+mac ="AA:BB:CCAA:BB:CC" # this is ok, ':' should not be erased
Don’t forget to encode the hash, and completing the password field in the configuration file.
The data needed to preform this “phising” aren’t public, but they are no challenge for a private network spoof, or any malicious app which saves the required information. And there is also the “lend me 2 seconds your phone” method and getting this data with no trouble.
Once we make ourselves pass as any other, It is simple to distribute malware or fulfil any other malicious ideas.