WhatsApp Flaw Lets You Spoof Someone Else’s Phone Number

I have been using WhatsApp for more than a year now and no doubt, it is the best messaging app. But I discovered something strange while using the app today. WhatsApp does not recognize SIM change in your Android device (tested on Xperia U running CyanogenMod 9 with the latest version of WhatsApp as on 28th of March).

WhatsApp uses only your phone number to identify you. When you change your SIM, your identity is changed and you need to create a new account on WhatsApp using your new number. I have two SIM cards – an old one and a new one (let us denote them as SIM A and SIM B respectively).  I have been using WhatsApp using phone numbers associated with both SIM A and SIM B.

I made a backup of WhatsApp and other apps using ROM Toolbox Pro before I flashed CyanogenMod 9 on my Xperia U. I prefer ROM Toolbox Pro over Titanium Backup because it backs up all apps and data with a single tap. So I wiped data from CMW, flashed CM 9 on my device and restored all apps along with their data. All apps include WhatsApp that was backed up when I was using SIM A.

For some reasons, I don’t use SIM A for WhatsApp anymore and I have it inserted in a device that does not support WhatsApp. Since I may wish to use it later, I did not delete my WhatsApp account. I now use SIM B on my Xperia U. So now, when I use WhatsApp, it does not ask me for any phone number verification. It still thinks that I am using SIM A. Even though I have changed my phone number, WhatsApp sends messages to my contacts using the phone number associated with SIM A.

Here is a short video on how you can reproduce it.

A simple work around is to clear WhatsApp data on my phone and start using it with the phone number I am actually using. So why should I be worried? Well, I would be worried if someone had grabbed the backed up data on my phone and restored it on his device. He can now send messages via WhatsApp that show my name as the sender. Grabbing data from someone’s phone is easy, simple and quick. You can send the backed up data to cloud. ROM Toolbox Pro lets you do that.

I am not sure how many of you have come across this, but it might pose concerns if someone sends messages using a phone number that is associated with your WhatsApp account. Someone can pretend to be YOU on WhatsApp. If you don’t want this to happen to you, I do recommend storing your backups to cloud but in password-protected zip files.

I have reported this to WhatsApp Inc. but have received any reply yet. I’ll updated this post as soon as I get a reply from them.