User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty

INTRODUCTION

HTTPS (Hyper Text Transfer Protocol Secure) is the secure version of HTTP, the protocol over which data is sent between your browser and the website we are connected to. It means it encrypts all the communication between the browser and the website. All communication sent over HTTP connections are in ‘plain text’ and can be read by any hacker that manages to break into the connection between the browser and the website.

Confidential information such as user credentials and credit card information should not sent over the HTTP connection since it can be read by the hacker.

SCOPE

https://translate.whatsapp.com

DESCRIPTION

The website https://translate.whatsapp.com sends the user credentials. Hence this information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. If the user accesses the above website through HTTP, it should be redirected to HTTPS to make it secure which is referred to as Force HTTPS. I tested it on some browsers.

1. Chrome Browser

If we access http://translate.whatsapp.com (HTTP — Not secure)

It automatically redirects to https://translate.whatsapp.com (HTTPS — Secured)

2. Epic Browser

But if we access http://translate.whatsapp.com (HTTP — Not secure) in the Epic Browser it does not redirecting to the HTTPS secured site. Hence if any user accesses the above website on Epic Browser, user credentials are transmitted over an unencrypted channel which can be read by any hacker that manages to break into the connection between the browser and the website.

Example URL

http://translate.whatsapp.com/sign-in?next

http://translate.whatsapp.com/sign-in?next=%2Flogin%2Ftwitter

So third party applications may be able to capture the user credentials by intercepting an unencrypted HTTP connection. Which is serious since the hacker gets full access to the user’s account by having the user credentials.

Facebook accept as vulnerability and awarded bounty amount also.

POC Link https://drive.google.com/file/d/1O_jpbTDSf2sVCa8-Fuse7c1vmLMIXIY1/view