This post is about the new attack vector discussed lately , and the researcher will explain the full details and how he could hack whatsapp users as translated from his writing .
A hacker named Mohamed Abd Elbaset has said that , whatsapp provide two methods of connecting , using the mobile app , and their web site at https://web.whatsapp.com , the web version has a complex method of authentication , you do not have to input username or password , you just need to scan q QRCode using your mobile , to login with the web version , this is not Independent way , to communicate , as the mobile must be online , for the web version , if your mobile connection lost , the web version automatically disconnects , so you can use this service if your mobile is about to be out of charge , something like this .
Whatsapp provides heigh security on their service , the enfoce HTTPS so no MITM attacks could be implemented , and the QRCode is valid only for 20 seconds , that means 3 QRCodes every minute .
Here you can read more about whatsapp authentication
So what you need to hack a whatsapp account , a vulnerability right !! suppose we do not have a physical access to the victim mobile , the researcher said the exploitation of this technique need some of social engineering , so the scenario used is :
- The attacker visit web.whatsapp.com and get a QRCODE , he will mirror it later
- You need to send a link to the victim , the researcher said if you are both on the same LAN , you do not need to send a link but using ARP poisoning , then inject a malicious content that will convect you to trust this is the real whatsapp and you need to perform a scan to his mirrored QRCode .
This video shows how it works in the two sides of the attacker and victim
Fake whatsapp page owned by the attacker
This image shows a newspaper website locally poisoned with a malicious QRCode
The attack was submitted to OWASP at https://www.owasp.org/index.php/QRLJacking