Hijacking Whatsapp accounts using the web version
With the introduction of changes such as end-to-end encryption for all users, Whatsapp grew from an application that ignored security to an application that many people respect.
Whatsapp accounts are based on phone numbers. This means that your phone number is your login, which is also used for authentication.
Although this is not the best solution in terms of privacy, it often saves unsafe users from remembering another password that they can potentially enter during a phishing attack.
')
A brief review of the entry process:
When the application is launched for the first time, the user must enter his phone number. Verification code is sent to the number in the form of sms or call. After that, the code is entered into the application, the authentication token is stored on the device.
When a user uses a new device, the process must be repeated for that device and the old one will be deauthorized.
Whatsapp does not store old messages on their servers, so previous messages will not be transferred to the new device.
Of course, the process is actually more complicated, but this simplification is appropriate for the purposes of this article.
Convenience replaces security. The price of this is a vulnerability to new attacks that can be used to access a phone number. This also requires the trust of the mobile operator, since it has full access to the number and can easily access the account.
From the point of view of a “low-budget” malefactor, this is difficult to get around. There are only two workarounds:
1) Getting access to the victim's phone. As stated above, this can be obtained by various attacks on the network or by a mobile provider. Even if access to the phone number can be obtained, it will not give access to the message history and the victim will notice it, since its phone will be deauthorized.
2) Protroyan phone itself and access the data section. It is expensive.
In 2015, whatsapp launched Whatsapp web, a site that allows you to send and receive messages from a computer. In order to use this, the browser must be “connected” with the phone, while the phone remains “at the head” of all this. Overview of the process:
Scanning the QR code shown on the Whatsapp web page using the phone, the browser is authorized. The user can then use whatsapp in the browser as long as the phone is connected to the network.
This procedure opens up the possibility for intruders. The trick is to use a scanned QR code and this will give full account access, including future and past communications. Bingo!
It's simple: the attacker only has to force the user to scan the “malicious” QR code in order to authorize the attacker's browser. This will give him full access to whatsaupp account.
The following image shows how this works:
In order to do this, whatsapp should not display a static QR code on their registration page, but generate a different one every two seconds. This prevents intruders from simply copying code and posting on a new page.
This tool I developed using selenium to get QR codes and express.js + socket.io to display them on the page. If the victim scans this code using her phone, the browser's document.cookie and localStorage selenium is saved to a file on the attacker's machine.
The data obtained can be used to log into the victim's account using any browser.
→ Githab code
Whatsapp accounts are based on phone numbers. This means that your phone number is your login, which is also used for authentication.
Although this is not the best solution in terms of privacy, it often saves unsafe users from remembering another password that they can potentially enter during a phishing attack.
')
A brief review of the entry process:
When the application is launched for the first time, the user must enter his phone number. Verification code is sent to the number in the form of sms or call. After that, the code is entered into the application, the authentication token is stored on the device.
When a user uses a new device, the process must be repeated for that device and the old one will be deauthorized.
Whatsapp does not store old messages on their servers, so previous messages will not be transferred to the new device.
Of course, the process is actually more complicated, but this simplification is appropriate for the purposes of this article.
Convenience replaces security. The price of this is a vulnerability to new attacks that can be used to access a phone number. This also requires the trust of the mobile operator, since it has full access to the number and can easily access the account.
By the attacker
From the point of view of a “low-budget” malefactor, this is difficult to get around. There are only two workarounds:
1) Getting access to the victim's phone. As stated above, this can be obtained by various attacks on the network or by a mobile provider. Even if access to the phone number can be obtained, it will not give access to the message history and the victim will notice it, since its phone will be deauthorized.
2) Protroyan phone itself and access the data section. It is expensive.
Meet the new player
In 2015, whatsapp launched Whatsapp web, a site that allows you to send and receive messages from a computer. In order to use this, the browser must be “connected” with the phone, while the phone remains “at the head” of all this. Overview of the process:
Scanning the QR code shown on the Whatsapp web page using the phone, the browser is authorized. The user can then use whatsapp in the browser as long as the phone is connected to the network.
This procedure opens up the possibility for intruders. The trick is to use a scanned QR code and this will give full account access, including future and past communications. Bingo!
Attack description
It's simple: the attacker only has to force the user to scan the “malicious” QR code in order to authorize the attacker's browser. This will give him full access to whatsaupp account.
The following image shows how this works:
In order to do this, whatsapp should not display a static QR code on their registration page, but generate a different one every two seconds. This prevents intruders from simply copying code and posting on a new page.
Demo
This tool I developed using selenium to get QR codes and express.js + socket.io to display them on the page. If the victim scans this code using her phone, the browser's document.cookie and localStorage selenium is saved to a file on the attacker's machine.
The data obtained can be used to log into the victim's account using any browser.
→ Githab code
Source: https://habr.com/ru/post/320282/
All Articles