Hijacking Whatsapp accounts using Whatsapp Web?
It seems possible: let’s analyze a recently published research
Really interesting article by Martin Wagner about a technique that allows account hijacking on Whatsapp using the web interface of this messaging service.
Whatsapp accounts are based on phone numbers. This means your phone number is your username and it’s also used for authentication. While this is not perfect from a privacy standpoint it saves the, often non-technical, user from having to remember yet another password that they could potentially reuse or, even worse, disclose through a phishing attack.
When starting the app for the very first time the user has to enter their phone number to start the enrollment process: to the entered number the app’s backend sends a code by SMS or voice call.
After that code has been entered into the app, the authentication token is saved on the device: obviously when the user gets a new device the process needs to be repeated for this device and the old one will be de-authorized.
This process is vulnerable to attacks like cell network hacking that can be used get access to a phone number.
From the attacker’s perspective there are only two possible inroads:
1. Accessing the victims phone number in some way. As mentioned above, this could be achieved by some kind of attack against the cell network or the mobile service provider. Even if access to the phone number could be obtained, though, it would not give access to any old messages or the chat history and the victim would become instantly aware something was up, as their phone would get logged out.
2. Break into the OS and get access to the data partition etc. While this would work, it is quite expensive.
…or, using Whatsapp Web:
[…] a website that conveniently allows sending and receiving Whatsapp messages from a computer. To use it, a browser has to be peered with the phone, and the phone remains in command.
Simply scanning a QR code shown on the Whatsapp Web page using the Whatsapp mobile app can authorize the browser, and allows the webapp to control the account, as long as their phone is turned on and has network access.
So, the attack?
I quote Martin’s explanation:
It’s pretty simple: the attacker only needs to trick the user into scanning an “malicious” code to authorize the attacker’s browser. This will give them full access to the Whatsapp account of the victim. A simple online raffle, in which the victim is asked to scan a code to enter, could pose as a lure.
To complicate it, Whatsapp does not display a static QR code on their registration page but generates a different one every few seconds. This prevents attackers from simply copying the code and publishing on a new page.
Martin Wagner has also realized a POC demo of the attack, that can be consulted on this github repository:
The tool I’ve developed uses selenium to get the QR codes and express.js + socket.io to display them on a separate page. If a victim scans this code using their phone, document.cookie and localStorage of the selenium browser are dumped into a file on the attacker’s machine. The acquired data can then be used to log into the victim’s account using any browser.