[bashzor]

Why scary? I can login with Gmail on a website too; it's not like your IMEI is public data. And yes, you can also forge gmail's website when you can wiretap a network (ok it's probably hard with https, but on most sites you can), so don't claim you can wiretap the MAC address or IMEI to hack your Whatsapp.

[FiloSottile]

No, it IS scary. First, even if an attacker can wiretap my network, and I assume that at least my ISP and government always can, I want my main means of communication to be secure: I PRETEND HTTPS on mail, Twitter, Facebook and so also on WhatsApp before using it. (Also, with https it's not hard, it must not be possible, if it is, is a bug) Second, if you try airodump-ng in a public place you will realize that you don't wiretap a Wi-Fi MAC address, it is screamed in every direction by every device that have Wi-Fi turned on, and note, not associated to an AP, simply turned on. Because this is how the network works, your device keeps yelling "I am /MAC address/ and know these APs, is there anyone near?" So, if a service authenticates me based on a broadcasted value or on a easily retrievable value (I usually don't think that the guy that asked me to make a phone call might obtain some password of mine) I would not call that password-based authentication.

[gbaygon]

The IMEI can be obtained dialing *#06# on most phones, so anyone that has physical access to your phone once can use it to access your whatsapp account anytime.

[skrebbel]

which would make WhatsApp about as easy to spoof as SMS. Oh no!

[cheald]

It's public to every app on your phone. Imagine if every app on your phone could listen and log as you entered passwords in your web browser?