Unreported WhatsApp Bug
Since the starting of mobile-era, I'm very much clear that there is no such word called privacy.
Due to which - I'm always interested to see what mobile apps are doing behind me.
Sometime back around three years ago - started a traffic monitoring all my PII at the lab environment which looks into all mobile traffic.
Guess what? It's WhatsApp passing my mobile number over unencrypted channel ..couldn't believe what I just saw. The next day, I went to my office started ARP poisoning and exploring traffic and yes it is.
Android version of WhatsApp passes mobile number in TCP traffic which was on clear text protocol.
What next? - Got a crazy idea :-)
Idea - ARP poison, extract numbers, lookup on truecaller using automated bash script & use yowsup python to greet people :-)
Truecaller Bash
Not that hard isn't? - Started working on it and now its time for fun .. that too in the airport - Hyderabad :-)
Message - "How are you? Hope you doing good? I just came to know that you are traveling - happy journey."
I got some really interesting replies :-)
Lessons learned
- Don't expect privacy from free apps.
- Don't connect to public WiFi
- Many bad people around you :-)
Interested to explore scripts I've used and PCAP captures?
there is no such thing as "free apps" anymore! we all pay with data! that's the most valuable asset we have on internet!
Blockchain Expertise
7 年You made a mistake. 1. Don't expect privacy from closed source apps
Senior Threat Researcher @ Sophos
7 年Good one