Hacker News new | past | comments | ask | show | jobs | submit login
WhatsApp is broken, really broken (fileperms.org)
241 points by espinchi on Sept 14, 2012 | hide | past | favorite | 130 comments



OT, but I'm intrigued by their business model.

I don't know the history, but currently, the Android app is free, and it says the use of the service is free for the first year, then will be $0.99 per year after that.

Meanwhile, the iOS app is $0.99 straight up.

Thoughts:

(a) "Free for a year, $1/year after that" seems like an awful long time to wait for a payday, but if it works, and you get lots of free users, I bet you get more conversions in the long run than with a normal free/pro app business model.

(b) "Free in one store, paid in the other" is an interesting idea. If you can build up a large userbase of free Android users, and it's an inherently social app, your free Android users will tell their friends on iOS devices to get the app so they can communicate. They probably don't even know it's not free. It's like unintentional affiliate marketing.

(c) I realize (b) might not be an intentional choice by the developers, but a necessity due to the App Store perhaps not supporting pricing schemes like the one in (a).


Even more OT, but Angry Birds is $0.99 on iOS and free (with ads) on Android to this day: https://www.google.com/search?&q=angry+birds+android+OR+...

Just the nature of the different app ecosystems, really.


Could the fact that Apple pretty much force you to enter your credit card number in their system play a role ?

You used to be able to create an account without it, but not it seems impossible (or if it is, you have to do some devious thing 99% of the population could not figure out, even after solid googling).


> or if it is, you have to do some devious thing 99% of the population could not figure out, even after solid googling

That "devious thing" is "attempt to download a free app without an account". Then it will present you with the credit card-free option.


You can definitely create an iTunes account without a credit card. I just did 3 days ago.


That has changed recently. With the recent Angry Birds Space, they have a 'premium' option for 0.99 and it has a healthy 500,000-1,000,000 downloads.


NAVER Line is also currently killing it in this space in Japan, Korea and other nearby places.. Their business model started as "free but sell extra stickers to send to your friends", but now they have critical mass it seems they're setting up some kind of social network.. But a piece at a time by making an app at a time. Their Photo sharing app is gaining ground, as is their "diary" (read: timeline) app.


Since Marchish this year I've found Naver's LINE to be really unreliable though. Messages delayed days or hours, etc. I'm surprised it's still growing if this is the case for more than just me.


I use it daily and haven't had any problems with messaging. Phone use can be shakey.


I have seen many people use WhatsApp in India where they just change the SIM cards once the trial period is over. (and it is very popular over there.)


I didn't even know it was going to be $0.99 a year after the first year. I only started using it a few months ago and I already feel a little locked in, I doubt 9 months from now I would bother switching to something else for the sake of a buck a year. Very clever, but I wonder if such a small amount of revenue will add up to enough.


I think it comes down to it being harder to make money on the android store and ease of piracy vs ios store. The market share / profit tradeoff ratio on android makes it worth more to be free. On iOS they sometimes make the app free too.


Tell me more. I wasn't aware app piracy was a major problem in either store.


App piracy is actually a substantial issue on both stores:

On Android, sideloading of apps from unauthorized sources (not the store), and frail DRM makes piracy really easy. The US government has been targeting these sources[1], but as you can imagine, there are many. Some have said that Android app piracy may be up to 60%[2], but I think there's some sample bias in these figures and suspect it's a fair bit lower.

On iOS, piracy is a bit more difficult, requiring a jailbreak and then a hack that allows cracked apps. From there, cracked apps can be downloaded from various sources. There are fewer solutions to crack in-app purchases, but recently a few have come into the mainstream[3]. On the whole, Apple's DRM helps, but pirates have found ways around it.

[1] http://www.theverge.com/2012/8/22/3259808/android-app-pirate... [2] http://www.theverge.com/2012/8/7/3225154/dead-trigger-dev-in... [3] http://www.theverge.com/2012/7/13/3156875/ios-free-in-app-pu...


Thanks. I imagine this varies a lot with app category/demographic.

I'm not a gamer, but I've heard that many gamers have a large, ongoing appetite for new games, and perhaps this makes them more sensitive to price. Even a $0.99 price tag can seem high if you want to play a half dozen new games every month. Meanwhile, a non-gamer who downloads that many apps in a whole year might not mind paying as much.

Also, gamers seem to often be power users, so it doesn't surprise me if many of them are technically savvy enough to know how to pirate. I would imagine that apps meant for garden variety Android users might be less widely pirated.

I mean, FWIW, of the friends of mine who I know use Android phones, I estimate 80 percent would have no clue how to download a pirated app if the thought even were to occur to them. And most of the other 20 percent who are tech savvy enough to do it are probably unlikely to find it worth the hassle.


In addition to the ongoing appetite for new stuff, I guess in terms of games one could add that these audiences are more likely to be younger, less willing or able to spend and generally a little less caring about bills a developer has to pay. At least in contrast to apps, which might be connected to professional interests and needs - games are very likely to be a matter of fun, which may make it easier to justify piracy in a consumer's mind.

I don't want to generalize and it's certainly not a good idea to put everyone into categories, but in my opinion piracy is heavily tied to psychological characteristics and the personality of users - in addition to a user's financial limits of course.

This comment touches an aspect that is hard to sum up in a few sentences as it doesn't come down to one single reason, but generally speaking I guess Android users are more likely to engage in piracy.


> I imagine this varies a lot with app category/demographic.

I guess it varies by region- I've seen lots of phone shops in Taiwan offering "JB" as their main service. In Germany, I've only ever heard of commercial jailbreaking services for the Xbox and Wii (which used to involve soldering).

Also, my $2 hobby iPhone game has hundreds of Chinese players after only selling one copy in China, according to iTunes Connect. In other regions it's a non-issue.


Jailbreaks can destabilize your phone on iOS. From what I understand, pirating android apps usually requires no modification of your phone's OS.


While this is true, the threshold to jailbreaking has been kept quite low by the iPhone Dev Team (and youtube), and well-organized sites like AppTrackr can get users into the habit of stealing rather than buying.

There's an interesting subtext here about demographics:

As mentioned above, it would seem that games are more vulnerable to piracy due to the broad audience (lowest common denominator) and lack of "necessity" (games may appear trivial and thus not worth paying for to some). Productivity-linked apps such as Instapaper, Omnifocus, and Day One seem to grab paying users with less difficulty.

Additionally, there's been some commentary around Android vs. iOS users being willing to pay for apps. The argument is that Apple was rather successful in targeting an audience who tend to be more willing to pay for applications. As a contrast, it's argued that Android users tend to prefer free software.


Not in store - Android allows app installs from outside of the store.


I've never had to pay for the Android app - it seems to autorenew.


I'm fairly lucky in that my work gives me a new phone about every year. So far I haven't had to pay for it, even though I've been using it for more than a year.

I'm not sure how that works with their "login" stuff, though, since I'd get a new IMEI with each new phone, but it just seems to work and the contact list is still there...

Personally, I'd always assumed there was no security at all and it just worked off your phone number. Certainly, I never treated any of it as in any way secure.


I got the iOS app when it was free, didn't know that they decided to start charging for it.


This app has ridiculously penetration, however. I've met people who use this and no other app not out of the box before. In foreign countries it is easier to get someone to WhatsApp me than it is to get them to text my strange US number.

Sure they solved a pain that's very common, replacing expensive text messaging, but part of their success is how easy it is for users without annoying username/password hoops to step through. They should fix the security, although I don't do anything important over it anyway, but I can't say they went wrong by avoiding a classic username/password setup that might have been more secure from the start.


We should all start using our regular XMPP accounts now! Most of us already have one. If you have a Gmail, Fastmail, Lavabit, GMX, Ovi.com, Yandex email address, you are ready to go. All that's left to do: Install Xabber or IM+ on your smartphone! Btw, both support OTR end2end encryption!

If you also want to instant message on your laptop: The latest Thunderbird comes with XMPP support! Or give Jitsi, which supports end2end encryption, or one of the many alternatives a try! Enjoy!


I've been seriously considering creating a highly secure text messaging replacement. I'm aware of TextSecure but find it lacking (and only available on Android). I'd love to hear if you guys think it would be a worthwhile project.


You could make one but the audience would have almost no cross-over with WhatsApp.

Your app would have a nice geeky audience of tech nerds who would drool over how secure it is and how smart they are.

WhatsApp on the other hand "just works." It requires zero setup, zero technical understanding, and is available on almost every platform (at least the "biggies" anyway).

I would say its audience is teenagers, and the less tech savvy consumer in general. I cannot see them wanting to switch to something else unless you make come up with a USP which appeals to them (i.e. security is not a USP that they're interested in).


Those are basically the same thoughts that I had. Security is not enough of a concern for most of the market. I wouldn't built it as a commercial product, but basically as art for those of us who value privacy.

That said, I think the number of people concerned with message privacy is on the rise around the world. Over a few years, the market may grow significantly as privacy receives more attention.


Alternately, you could just create a third party client for WhatsApp that uses an actual password. The issue with WhatsApp is on the client end, which you can control.


Probably they will start to care, if whatsapp spoofer would become widely available.


I like TextSecure, but it has one main drawback as far as I'm concerned. It doesn't hide who is talking to who and when. It only hides the message content.

I imagine a messaging app which works like TextSecure (as far as encryption goes), but integrates with Orbot (Tor for Android). Both phones would set up a Hidden Service so they can communicate directly, over the Tor network, over the Internet without an intermediate server.

That would be the perfect messaging system IMO. Not only would the message content be hidden, but who is talking to who, and when, would also be hidden. And it wouldn't require anyone to run a server to handle the messages either.

Please, somebody make this app.


What is the target market? I mentally treat all messages as insecure, and no self-proclaimed secure system would change my thoughts.


You can set up your own private XMPP server and use gibberbot, beem or yaxim on android (or any other XMPP client on the platform of your choice). This is the only way to ensure that your communication is really private.


That's actually why I haven't built it yet. I think it should be done, but I'm not sure who would actually care enough to use it.

What would change your thoughts regarding a secure messaging system? Open source?


If it works on android/ios I'm a customer. I'm using textsecure right now.


Maybe you want to try Musubi, an experimental message app from Stanford's MobiSocial lab which really cares about user's privacy. It's available for Android and iOS


Skype would be a decent bet.


I wouldn't consider Skype secure when all traffic for Skype goes through private servers run by Microsoft and there is as far as I am aware no end to end encryption between end users.

Also, Skype's protocol and entire stack is entirely opaque and thus hasn't been nearly as checked for security issues as something like XMPP with SSL for example.


Skype is end to end encrypted, of cause we don't really know how secure it is.


How do apps like WhatsApp get popular? They offer inferior service in every way to builtins, and require that both parties have installed something. SMS is in every way better unless you don't have a texting plan, in that case, GTalk and iMessage are in every way better (And GTalk is even cross platform with several fairly simple XMPP clients on IOS). Who uses this shit?

I encountered the same thing recently with Raidcall. It's a shitty voice service that's in every way inferior to Skype, but trying to position itself as a competitor to Teamspeak (Which itself has been eclipsed on features and price by Mumble). Yet, somehow people will argue with you about it and evangelize it, without any sort of benefit comparison.


WhatsApp was there first. Network effects cemented their position.

iMessage doesn't work for non-iOS phones. Annoyingly, GTalk doesn't have an official client on iOS. SMSes can get expensive.


No, there was an app Ping, which was around earlier than WhatsApp. It was ugly and didn't work well. WhatsApp is easy to set up, easy to use, and have relatively good functionality.


I am not a fan of whatsapp either but its popularity may have somethig to do with zero setup and no username and password to remember. A neat idea but this could have certainly been done better. The app may have some basic infrastructure problems but average person unfortunately does not care.


You account is your phone number which is a really smart thing I think. Therefore you do not have to add each of your contacts one by one. And when someone in your contact list installs WhatsApp they automatically show up in your WhatsApp contacts.

It's the quickest direct replacement for SMS.


I'm a "open source guy". Very picky to pay of Anything.

I use the mentioned app with my Lady every day because it works so well on her iPhone too. The easy of sending photoes is just pure awesome. Never failed (during one year). It works so well I don't hesitate a second to pay a dollar of it when it asks for it.

Ps. Drunk in a bar and a regular guy next me agrees who did not agree on punch of other stuff.


Pps. yes. Ofcourse the dude next to me did not know about the possible problems the auther mentions. Which ofcourse is an issue.

How to explain to a "regular dude" anyone can listen your phone call if they want to?

In my world everyone "normal I know" loves the mentioned app. How do I explain them everyone can read their messages if they want to? They answer me, everyone can steal my "normal" mail too if "they want to".

Ppps. I modified the typo i think i created after 8 pints.


Yes, it's insecure by the standards we would normally apply to software. But let's be honest - this is competing against SMS, not XMPP, Skype, et al. How hard do you think it is for someone to sniff an SMS?


Compared to this? Ridiculously hard. A5/1, while severely compromised, still requires heavy IOPS and computing power to break quickly with rainbow tables (see Kraken).

Even worse: this allows for trivial spoofing. You're far, far away from doing that with SMS.


Actually, SMS spoofing is arguably easier than WhatsApp spoofing.


Compared to sniffing data over public wifi, pretty hard.


Armed with this blog post and a laptop, you could start spying on IM traffic in your local coffee shop in five minutes. I don't know where you'd even begin with spying on SMS, but I bet that in the least it requires substantially more specialized equipment.


Yeah, it requires specialized equipment, but that's really the biggest barrier. From a protocol standpoint it isn't really any better.


I'm no SMS engineer, but I'm pretty sure SMS is stuffed in one of the ping packets used to keep the phone connected to the cell towers.


It's sent on the control channel, not the payload channel. But that's not the important bit - This is: to sniff wifi you need a computer with wifi and a freely available, easy to use program. To sniff GSM you need a rather elaborate setup.

It's not that it's "hard" to sniff SMS in a crypto-sense, it's just that that bar is a lot higher that sniffing unencrypted wifi traffic.


I'd have thought a large majority of what's app users use it for chatting. I can't imagine they're particularly fussed about people sniffing their plans for meeting up that night. There are varying requirements for security...


It isn't the information they can view, it is the things they can do impersonating you. Any application installed on your phone can probably access the two authenticating pieces of information. Then they can impersonate you in messages to, say, your parents and say something like "Hey mom, I need to order something, can you send me your credit card?" and then your mom, under the illusion that WhatsApp is secure, will send it right over.


A large majority of whatsapp users use it as a straight-up replacement for normal SMS. It's easy to impersonate someone's account and pull off the whole "I am stuck please wire me money" scam.


I suggest you go find some nearby open wifi in use, spy on some people, then tell them what you've found and see how they react to it. Report back when you're done... If you can....


If the table next door was having an obviously private discussion they'd probably be a bit put out if you started offering your opinion. People know their conversations often aren't secure, but then there are certain social expectations. Sometimes it's just expected that other people will politely ignore their conversation. If you told people that you had been spying on them I guarantee you that they would not blame their tech. They would place the blame squarely at your door for having listened in on something you shouldn't have.


So just because 99 percent of SMSs don't contain sensitive information, it's OK to leave the remaining 1 percent insecure?


Sadly, normal free Jabber/XMPP does not seem to be a viable alternative. On Android, sure (though the clients are not too great at reconnecting/noticing-connection-loss/reporting-message-reception) but on iOS apparently you cannot run such things in the background. At least the situation was dire when I tried to convince some iOS friends to use XMPP instead of SMS last winter. http://monal.im/ looked most promising but turned out to crash or only work when active, I don't fully remember. Maybe it got better.


You could run the real XMPP client on a server and use the native push messaging system to wake up the mobile client. This would also enable receiving "offline" messages while the mobile device is not on a network or turned off.

Of course, this would let the person operating the "real" XMPP client read your messages; but the person operating the XMPP server can do that already, so there isn't any real change -- either way you should be using OTR messaging at all times.

In the peer to peer spirit of XMPP, such a project should make it really easy to run this virtual client yourself locally or on a cheap cloud server. Maybe something like that exists already? Anybody wanna build it?


We've been trying to build something supporting that, but so far with far less than full steam. Too busy with client projects right now :)

http://woboq.im/


Hi, I am the developer of monal. It is a real, direct xmpp client and remains open in the background as long as you have an internet connection. It even has preliminary support for Jingle voip.


imo.im on iOS works perfectly fine with google talk and i receive messages when it's not running as well.


imo.im is a web service, not a raw XMPP client.


While this is true, using imo.im is probably significantly easier than setting up your own XMPP client on your own box that will send push notifications to your phone and achieves the same thing.


No mention of this on their blog (in fact, no new posts since July). And no quick patch that pops up a box asking the user to assign a password. Since it's tied to a phone number/SIM card anyway, you could easily offer a password retrieval option via SMS.

I wonder what happens if a phone number (the login) is tied to a different IMEI (the password). This can happen when you transfer a phone number from one provider to another.


> I wonder what happens if a phone number (the login) is tied to a different IMEI

I think they send verification code to the phone via SMS or ask your permission to make a call and speak the verification code.


Yep. You'll normally see this happen if you restore an iPhone backup onto another iPhone then try to launch WhatsApp. Login will fail and you'll be asked to type in the SMS received.


Like Oscar Wilde once said, everything popular is wrong. Quality is well down in the list of things that matter to have a successful product.


I was working on a better whatsapp api than the mess that is whatsapi, do not have enough time though. It's based in wazapp which has an actual implementation of the binary packed xmpp transfer mechanism they use. Might upload it if someone's interested, it seems broken right now though


Do it. It may be possible for someone to create a third-party client for WhatsApp instead of relying on the official version.


Look up wazapp, it's a third party client for Nokie N9


So, what's the best alternative?


Kik uses XMPP over SSL and has user-defined passwords

https://getsatisfaction.com/kik/topics/how_secure_is_kik



Google Talk, Facebook messenger, ... then it is not even dependent on the mobile phone number. And I like being able to type the messages if I have a keyboard and not just my mobile phone. I cannot understand why everybody uses WhatsApp.


It depends on what you want to do. If you want to make sure your little brother isn't spying on what you're saying, any of the IM platforms from established players is likely "good enough" (gtalk, skype, facebook chat, etc). If you're a dissident in the middle-east, your requirements may be difficult to meet.


No one's mentioned it but iPhone to iPhone the best alternative is iMessage.


Viber [1] may be a good alternative. It s free on all ecosystems - iOS, Android, WP, Blackberry, Nokia and Bada.

[1] http://www.viber.com/


Like WhatsApp, Viber is free to use and has no advertising model. If they are not making money off me directly i have to wonder how safe my data actually is with this service.


WhatsApp is not free to use. iOS users are charged a flat 99c fee while Android users are charged 1$ a year from the second year onwards.

I do not know how secure Viber is but they have been steadilu acquiring good user base. If I was Viber, I would cash on this opportunity to write a blog or advertise their security models.


I' ve been using WhatsApp well over a year on Android. I got a free renewal in june. Never paid a cent.


Sure, you may have but are you the exception or the rule?


I sometimes use Gryphn to send super secure messages like giving a client my bank account #.


But is it more secure?


No way to know. The way I see it I have two otions in te worst case scenario

Option1 - Use an insecure paid app Option2 - Use an insecure free app

I am not sure about you but I will choose Option2 gien the constraints and restrict my use to communications which have no privacy problems.


Textie Messaging on iOS and Android is all SSL and doesn't scrape your address book. It can also text with people that don't have Textie by sending free SMS or email.


KakaoTalk, I switched to this from WhatsApp over a year ago.


I wonder if RIM missed an opportunity several months to a year ago, when they didn't consider porting BBM to non-Blackberry devices.


None with enough traction so i guess this has to go mainstream. Interesting though that i have not gotten any spam messages so far.


Email?


Yuilop.com - all client-server communication is encrypted, and you can call and send free SMS.


Line! It even has a messenger for Windows and Macs!


It's worse than that, in iOS devices the mac address is easy to predict. For instance my phone and my wife phone have the first four bytes the same.

Example:

F0:AB:C7:11:xx:yy

So you can easily crack this by brute force without sniffing the device address at all.


This is by design[1]. The first 3 bytes are the same for the same manufacturer. The last 3 bytes can be assigned as they wish. Apple probably assign the 4th byte as a product identifier, so would be consistent across iPhones. I wonder what the 4th byte is for other iOS devices, or if it's the same?

[1]http://en.wikipedia.org/wiki/Organizationally_Unique_Identif...


That's very unlikely: an address space of just 65K numbers would be left, which is orders of magnitude less than the number of iPhones produced.

Considering that each phone has at least two MACs (wifi and bluetooth), even the 16 millions that would be given by using the full 3 bytes look scarce.

I think that Apple has several OUIs. In fact, my iPhone's MAC doesn't have a single byte in common with the parent's.


You're right, I didn't do the maths. This list[1] from 2010 shows that Apple has dozens of OUIs and I imagine the list is much, much longer now.

[1]http://www.scribd.com/doc/42074577/Apple-OUI-List


But maybe given products use a small subset of their available addresses...

Ok, there is a simple way, let's collectively compile a list of the HN users reading this thread having an iPhone. I'll start with:

   4s - F0:CB:A1:xx:yy:zz (me)
   4s - F0:CB:A1:xx:yy:zz (wife)
   4s - F0:CB:A1:xx:yy:zz (friend)
Please reply with your first three bytes.


Another friend of mine:

4s - 0C:77:1A:xx:yy:zz


My address was modified completely just to remove information about my actual address. Likely your first three bytes are: F0:CB:A1.


No, it starts with D0:23


Yes I know, but given that of the three bytes reserved for Apple, a specific device type like 4s, 4, 5, or alike, happens to have a subset of the fourth bytes combination, the space is reduced to a bit more than 16 bit, making the brute force attack absolutely feasible.

p.s. I've verified that other 4s have a different (but numerical very "near") fourth byte. It seems in the range 20-24 or alike.


> "On iOS devices the password is generated from the devices WLAN MAC address"

On what planet is using this data a valid form of security? Anyone can get hold of a MAC address.


Just received an update on the iOS app stating "Full encryption for messages over mobile and WiFI".


Anyone know if deleting message history is enough to kill the history on their servers?


On their website it says that they don't store messages on the server. Once yet are delivered, they get removed.


Does anybody know if the latest update changed anything on the security side?


seriously though, why does it have to send the whole contact list EVERY time?

you close whatsapp remove the contact list permission, open it again, surprise, it won't work. -_-


I presume because the list of potential people who you could connect to might change.

I guess they could re-scan it on a schedule but that wouldn't solve your issue and might annoy their user base who are using it because it "just works."

Plus removing a permission isn't something any app supports that I am aware of. It isn't even something you're meant to be able to do on Android.


point being, it's a stupid idea. every half decent programmer would just update the diff.


Nope, I wouldn't even consider that. Firstly because K.I.S.S. and secondly because you've exchanged a relatively small data "cost" with a much larger storage and processing "cost."

You've had to have a database of everyone's contacts and then be comparing X with Y every few connections...


New version of whatsapp for iOS is there.


Did the author email the WhatsApp team to give them any chance to fix this before they splashed it across the internet for anyone to abuse? The article makes no mention of it, so I assume not.

In my opinion, the obscurity peeled off by this expose did more to endanger WhatsApp users than the bad programming. So, I can only conclude this post's main goal is page views. OP could easily warn them, and at least wait until they didn't do anything before publishing.


My opinion - something so trivial as private data sent in plaintext isn't a bug or a security hole, it's bad by design. You shouldn't have to notify someone they've designed their app poorly. If he was taking advantage of a security hole, or something of that nature that wouldn't already be known to the developers, then I could see notifying them before publishing.


This is an excellent point. Fixing a design flaw this inherent is going to take more than a weekend of frantic dev time. It could conceivably take weeks to implement an overhaul to their framework, all the while the users are vulnerable.


They could theoretically take the app down, or issue a warning to users.

On the other hand, this article does little to alert users, while blithely informing techies, some of whom are likely to be hackers of some order.


In this case, I think I disagree. A lot of this not just easy for an attacker to find - it is trivially easy for an attacker to find. Letting people know their communications are vulnerable is important, and it's not like they don't have plenty of alternatives.


Just because a skilled attacker can trivially find the information, doesn't mean that the 15 year old kid living next door to you can find it. Now they can.

The problem doesn't stem from giving information to "l33t hax0rz" but rather providing the key information that can be abused by anyone with a computer and half a brain. They are the ones more likely to make use of it in a widespread and destructive manner.

But with that said, most developers don't care if you tell them this stuff directly since it's simply information and not a proof of concept. Until someone starts using it and shows them that its actually a problem that is affecting their product they usually write it off as paranoia.


The whole point is that you didn't have to be a skilled attacker to figure out anything mentioned in the post. If the author had discovered an obscure security hole that allowed him to access sensitive information, then yes he's only going to make the problem worse by distributing that information online.

But it does not take a skilled attacker to "hack" a system where messages are being sent in plain text.


My point is that most of the threats exposed don't take elite hacker, or even "l33t hax0rz", skills to discover. A hugely greater percentage of people are going to hear about this and say, "oh, I should switch to something else" or "oh, I shouldn't say sensitive things" than are going to fail to hear about this and be snooped on by someone who did and wouldn't have figured it out anyway.


Yeah I mostly agree with you, except that I highly doubt that most people who use WhatsApp will actually hear about it having a security issue, let alone care about it.


The disclosure was previously published on Sept 5 (OP links to it)

http://samgranger.com/whatsapp-is-using-imei-numbers-as-pass...


The security history of WhatsApp is so horrible, it does not seem to make any sense to talk to them. Alone the fact that their app is sending your contact list to their server, without asking you, on every app start, disqualifies the service. Their previous security track record just puts it over the edge.


Because it's always better for only the "bad guys" to know about these exploits? If it's as dead easy broken as the article claims then you can be damn sure a lot of other people already know about it and aren't advertising it. And with such a poorly designed security model do you really expect the App developer to care enough to essentially sepuku in the app stores till they fix it? unlikely.

You else where claim the author doesn't do enough to get the attention of non techie users to justify publishing this? What else could he have done? Spelled it out simpler? he only has his tech blog unless you think maybe he has funds to take out adverts and wishes to spend a small fortune alerting everyone that way?


A friend of mine works for WhatsApp. I tried bringing the original article to his attention, but it went down that day. I've linked him to both articles now.

I agree about the need to disclose such security issues to the authors privately. While I understand the sentiment of others, that it's such an inherent issue in their design that it'll take time to fix, that's not really a reason to not give them a chance. If it had been 1-2 months after disclosure, and it still wasn't fix, then sure, grab your pitchforks. But the initial public disclosure was on Sept. 5. I don't know if there was any private disclosure, but 10 days is not a lot of time to fix these kinds of things.

Nevertheless, I've linked them to it, let's see what they do.


The pitchforks are out because this demonstrates complete incompetence on their part.


This is the security equivalent of having a giant flashing neon sign saying, "the door is unlocked, please come steal my stuff." That is to say, it's blindingly obvious to anyone who cares to look, so there's no reason to try to hide it, even temporarily.


I'm usually all for "responsible disclosure", but in this particular case, I don't believe that they weren't already aware of these issues. So shaming them was the right thing to do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: