I recently figured out a way to grab the session from any user through malicious code that takes your session data and uses that data to log into your account on any computer.
Company Mentioned
I recently figured out a way to grab the session from any user through malicious code that takes your session data and uses that data to log into your account on any computer.
This code can be injected by any plugin that has access to your WhatsApp Web tab and this would be done silently. So, I decided to create a simple javascript code that would take this data and send it to my server that would save this data.
The Experiment
In one hour I had the script and the server ready, but someone would need to inject the script via console. I asked my friend, who was on his computer on my side to run the code on his console inside the WhatsApp Web tab, just for a test I needed to do.
The data that I thought were sensitive was to my server, so I just copied and pasted this data into my WhatsApp Web and restarted my tab. Ready.
As I expected, I was inside his WhatsApp, with access to everything: conversations, contacts … I could talk and see any conversation from him.
Nice. I did nothing with his session. I just showed him, who was very surprised. But, we were on the same network. I wanted to know if this would work with people outside his network.
My wife.
I’ll ask her to copy this code on her console and say that with this will appear notifications of pretty good job openings on her WhatsApp.
I made a call with her, wondering how she had to do it, and that’s it. I had already received her data on my server. I did the same procedure. Wow! I was inside her WhatsApp, with access to all the conversations, contacts and the best thing is that we were not on the same network.
I need more
Well, now I thought: how harmful is that from a personal point of view? Many people have private conversations, secrets … Could a chrome plugin do this job of getting this code automatically and sending it to a server?
I did. Same result. The plugin had taken the data from my session and sent it to the server. At that point I thought it was really bad, even though it was just conversations, having other people’s numbers, it would be very embarrassing if someone sent messages in your name, changed your photo …
How I can help?
I reported the WhatsApp Team via Facebook detailing the exploit of the crash and am currently awaiting their response.
Conclusion
Well, I just wanted to share this experience with you. Curiosity always leads us to interesting ways and as I love creating new solutions and always full of ideas would not be bad trying to create a solution for this.
That is all folks!
If you have any questions, I am available to help you!