MaFurther communication with Facebook (During my research have noticed that Signal has introduced a feature to relay calls through the signal server to void revealing IP addresses.Could you please recheck the approach to limit calls to trusted users or using a VPN? I believe using VPN all the time is not a feasible solution to protect the location privacy.).JanuResponse from Facebook (The decision to publish is entirely yours.JanuRequesting permission for public disclosure (In such a case, is it fine if I publish this finding with public disclosure?).This can include limiting calls to trusted users or using a VPN.) OctoResponse from Facebook (Due to the nature of the peer to peer protocol, the best methods for users who may be concerned about accidental disclosure is to take a proactive approach.OctoReply to Facebook (could you please let me know how WhatsApp users could mitigate this accidental disclosure of his IP and potential private information about his location?).In this case, the issue you've described is actually just intended functionality and therefore doesn't qualify for a bounty.)
Step 5: Disconnect the call once established Step 3: Call any whatsapp user randomly to capture the server IP addresses to filter Users: UserA is has whatsapp detail of UserB Such direct mapping between user to IP information can also be misused to track users' surfing habits and to influence him.įurther, the public IP could be exploited to launch targeted attacks towards whatsapp user home or office. Possibility to map whatsapp users with their public IP will not just reveal whatsapp users' location information but can also be misused to track their physical movement by maintaining location history. Targetinfo= cat /tmp/b| egrep -iw "OrgName:|NetName:|Country:" By filtering the Facebook and WhatsApp server IP addresses from the destination hosts, it is possible to reveal the correct public IP address of the target whatsapp user without his knowledge.įollowing is a quick script to exploit this vulnerability,įilter= tshark -i eth0 -T fields -f "udp" -e ip.dst -Y "ip.dst!=192.168.0.0/16 and ip.dst!=10.0.0.0/8 and ip.dst!=172.16.0.0/12" -c 100 |sort -u |xargs|sed "s/ / and ip.dst!=/g" |sed "s/^/ip.dst!=/g" It is observed that during a whatsapp (voice / video) call, application on caller side tries to establish a direct connection with the public IP address of recipient device. Latest version of whatsapp application on all platforms is vulnerable to remote whatsapp user public IP disclosure. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not bhdresh's responsibility.įinally, this is a personal development, please respect its philosophy and don't use it for bad things! Description/Impact PoC Video:
The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. The usual disclaimer applies, especially the fact that me (bhdresh) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. This program is for Educational purpose ONLY. Leak the IP address and Geolocation of target whatsapp user Disclaimer
0 kommentar(er)
