WhatsApp Inc. has, however, been in touch with the developers behind the GitHub project WhatsAPI, an open source implementation of the WhatsApp protocol written in PHP and Python. The company has threatened to take legal action against the developers if they do not take the project offline. heise Security has been told by one of the developers that they have decided to acquiesce to this request and to cease working on the API.
WhatsApp’s ultimatum has not come out of the blue – it was issued shortly after heise Security demonstrated how easy it was to compromise other users’ accounts using the API. This does not, however, alter the underlying problem. There is now a web service based on the API which can be used by an attacker to send and receive messages in the name of a WhatsApp user by simply having their phone number and IMEI or Wi-Fi adapter MAC address. Users are advised against using the service, however, as it is quite possible data allowing permanent access to such an account could fall into the wrong hands.
The way it has dealt with this serious problem does not inspire confidence in the company behind the app, which is used by millions of smartphone owners around the world to send more than one billion messages a day.