From your post, it seems like you didn't contact WhatsApp before publishing this post. What was your reasoning for going public with this vulnerability before at least trying to contact them and giving them a chance to resolve the issue?
Is there a particular reason (that you're aware of) for this decision? I'm certainly no expert on the matter, but it seems risky to store everything like that, especially unsalted. LinkedIn, anyone?
The problem isn't storing -- remember that we don't know how they store it, we only know how the password is generated. IMEI is intended to be unique and private -- e.g. knowing your IMEI might be enough to report the phone as stolen. If someone knows your IMEI they most likely have enough control over the phone to either completely spoof it or put malicious software on it. This makes it a reasonable tradeoff against implementing "proper" passwords, with their own ton of problems.
It's intended to be unique but not secret and not hard to guess. It's a bit like your SSN or a computer's MAC address.
> If someone knows your IMEI they most likely have enough control over the phone to either completely spoof it or put malicious software on it
Err, no? Your phone can be asked to broadcast it via radio, your
phones previous owner / sales clerk knows it, etc,
your wife/gf knows it, etc. Now it's trivial for
any of those to gain access to your WhatsApp without
any active and sophisticated attack requiring physical access.
Sure, with sufficient effort it might be possible for
someone sniffing radio or having at some point handled your phone to subvert it in other ways, but this is zero effort.
