Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
I recently figured out a way to grab the session from any user through malicious code that takes your session data and uses that data to log into your account on any computer.
This code can be injected by any plugin that has access to your WhatsApp Web tab and this would be done silently. So, I decided to create a simple javascript code that would take this data and send it to my server that would save this data.
The Experiment
In one hour I had the script and the server ready, but someone would need to inject the script via console. I asked my friend, who was on his computer on my side to run the code on his console inside the WhatsApp Web tab, just for a test I needed to do.
The data that I thought were sensitive was to my server, so I just copied and pasted this data into my WhatsApp Web and restarted my tab. Ready.
As I expected, I was inside his WhatsApp, with access to everything: conversations, contacts … I could talk and see any conversation from him.
Nice. I did nothing with his session. I just showed him, who was very surprised. But, we were on the same network. I wanted to know if this would work with people outside his network.
My wife.
I’ll ask her to copy this code on her console and say that with this will appear notifications of pretty good job openings on her WhatsApp.
I made a call with her, wondering how she had to do it, and that’s it. I had already received her data on my server. I did the same procedure. Wow! I was inside her WhatsApp, with access to all the conversations, contacts and the best thing is that we were not on the same network.
I need more
Well, now I thought: how harmful is that from a personal point of view? Many people have private conversations, secrets … Could a chrome plugin do this job of getting this code automatically and sending it to a server?
I did. Same result. The plugin had taken the data from my session and sent it to the server. At that point I thought it was really bad, even though it was just conversations, having other people’s numbers, it would be very embarrassing if someone sent messages in your name, changed your photo …
How I can help?
With that, I decided to create another Plugin. But that would be to leave your session safe. I would prevent these contacts from being copied and sent to a server, that a popup would be opened passing that data to another site.
On the same day came the WhatsApp Shield. One way to make your Whats App protected.
Conclusion
Well, I just wanted to share this experience with you. Curiosity always leads us to interesting ways and as I love creating new solutions and always full of ideas would not be bad trying to create a solution for this.
That is all folks!
If you have any questions, I am available to help you!
Show your support
Clapps show how much you appreciated my story!
How I Invaded the Sections of Other Users Through WhatsApp was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.