Whatsapp hacking

Posted on 17 November 2012


There have been many security leaks in whatsapp messenger. Here is a nice summary of history.


The biggest problem of whatsapp security is history: messages are now encrypted so can’t be sniffed with a MITM attack from an open wifi network anymore. The web is full with people saying that it’s plain text over SSL, but it’s not anymore since around may 2012.

On the other hand: if you’ve got the key it might be pretty simple to decrypt the messages. The key might be pretty simple if you know the IMEI and phonenumber. Plus, they say that the phonenumbers are still being sent unencrypted. I don’t know about images (they used to have the web-address of the image on the server as the message body). I’ve not been looking into this myself so I don’t know.

Database backup

But there are more options. First thing you need to know is that there is no whatsapp server that stores all the messages. When the message is delivered to your phone, it’s not on a server anymore. It’s only there on the phone. If you delete it from the phone before the database backup is made (04:00 in my phone) it will be gone forever and there is no way to get it back.

If it isn’t deleted before the automatic backup, you are lucky. The first option is to read the encrypted db files, but then you will have to have access to the actual SD card or phone they are stored on. This allows you to read the databases from the last seven days. You’ll need a program called Whatsapp_Xtract and this program needs you to have ActivePython installed in programfiles/python27. It will decrypt the db files with help of pyCrypto. Use the readme.

Another way to read the backups is with the phone itself. You only have to rename the one you need by deleting the date and then reinstall WhatsApp on your phone. Then when you start it the first time, it will give you the option to restore this database.


Another option is to use send and receive the messages with the venomous0x’s WhatsAPI that you can download from github. This is an unofficial API to whatsapp, which I think is not illegal if you use it with your own credentials. There used to be a js compile here but this doesn’t work anymore. The WhatsAPI seems to need python and php running on your computer. I guess that has something to do with whatsapp not being happy that they discovered the password/username system on september 14th.

It seems like it’s still working as they are updating it again since 29/9/2012. You have to note that you can only connect with one device, so messages will be delivered either to your mobile or your whatsapi, but not to both.


You can also send and receive messages through an online service like websapp. This is not hacking but the nice thing is that it is a simple way to get images to from your phone to the PC or send a longer whatsapp message from your computer. It gives a warning to the receiver in the first message, that they can always block the messages if they don’t like them. I guess it would be easy to copy the code of such an app to your own server and use it with your own mobile number.

Posted in: Office