How I Hacked WhatsApp and Added Contacts to Groups When Being Blocked
A few months ago, I made a script to unionize two WhatsApp groups, by forwarding the messages between them in real time. The simple script ran on WhatsApp web (was written in Javascript) and acted exactly like a user — whenever a message was received in one chat the script entered the other and sent it there. Unfortunately, that script was awful and couldn’t handle a bunch of messages together.
I was willing to do anything to fix it, even get my hands dirty with some WhatsApp client code. I looked for functions that get executed whenever messages are received, so I could edit them and make the messages flow between the groups. Instead I found a large collection of high-level functions being used by WhatsApp behind the scenes (the code was actually quite beautiful).
Cool Function
I started playing with the functions to see if I can do something cool. After some fun, I saw that the function “addToGroup” works fine even when its parameter is an invalid phone number (not connected to a WhatsApp account). Normally those numbers are filtered from the contact list when someone wants to add a participant to a group. What is dangerous in that behavior? Actually nothing much. That by itself isn’t dangerous at all; maybe it can cause some confusion because Oscar the admin can trick Alice into thinking that Bob is a participant in the group, while he doesn’t even use the app (invalid phone numbers were represented as the default WhatsApp account).
Exploiting The Breach
Maybe some of you remember that WhatsApp used to crash when one tried to load large messages (especially made of emojis), and as a result the “read more” buttons were added. I guessed that messages which inform when someone enters the group don’t have such buttons, so I added a number with 200,000 digits to the chat and it indeed crashed on my mobile device. However, some high limit for the numbers does exist, so I couldn’t add large enough messages to crash the strongest phones on the market (it took them couple of seconds to load the chat though).
Finding this got me very excited and I was planning to report it to Facebook (the owner of WhatsApp), but I wanted to find a couple more minor usages of the breach before reporting.
After testing the server I saw that it ignores phone numbers with characters other than numbers, so I tried to think of special parts of the phone number that could maybe mess things up. Two things came to my head — the number area code and the plus and minus signs. Both of them became the actually dangerous uses of the exploit.
Quick Maths
A plus sign can appear at the beginning before the area code, and minuses can appear inside of the number in order to separate digits. Very quickly I saw that the poor server didn’t expect to get a minus sign at the start of the number — while it added it without any problems to the group, when someone wrote something in the chat WhatsApp crashed on that person’s device and the message wasn’t sent. When an admin removed the bad number from the chat everything returned back to normal, so admins can freeze and unfreeze chats — making it so that nobody but them could write something in it for example. Pretty big power.
Area Codes
When I thought about the area codes I noticed that they aren’t really part of the number, so I tried to represent the same account with two different numbers, by adding leading zeros to the area code (for example, 000972–541337331 instead of 972–541337331). When I added the modified number to the group while the normal one was already there, nothing happened. If the normal number wasn’t there the addition went successfully, so I tried to write something in the chat and see if the normal account receives the message. The server then decided to do some crazy weird actions to fix the situation — it removed the modified number from the group and added the right one.
Well, from here everything went smoothly — it was the real gem of the breach. The added account didn’t know who added it (because it was the server) and admins could remove members that way too — so anonymous actions were possible. Members who were added that way couldn’t report the adding admin as a spammer (the button just didn’t appear). And most dangerously, admins could add contacts that blocked them to a group (because the server did the actual final addition), and blocking doesn’t affect messages that pass in groups.
Final Report
So I reported the whole thing via the Facebook bug bounty program, and the experience was actually very bad. The average response time was about a week, even for simple messages. On other write ups I read others got responses in several hours to a couple of days, so I don’t really know why that happened. Maybe I was queued up last because they know from my Facebook account (requirement for reporting) that I’m a teen or something. Anyway, here’s the main events timeline:
Sep 24- I send a report with the title “WhatsApp group administrators are able to add contacts with invalid phone numbers to groups, which leads to some major vulnerabilities”
Oct 2- I get informed that they’re looking into it
Oct 18- Fix deployed
Oct 21- I make sure they fixed it right and tell them they did
Nov 16- They close the report and award me with $1250
Summary
What makes this exploit special is its simplicity. I’m more than sure that thousands of people found the bug in addToGroup before me, but didn’t find its dangerous usages. The script that moved messages between the groups worked very well by the way :)
It’s not the first exploit I’ve found on a real site but it’s definitely the most honorable one. If web security is interesting to you (and it should be by now) just dive in, there are some great sources on the internet to start from. Some good links:
- xss-game teaches about common xss attacks (cross site scripting), which inject malicious scripts to server pages (for example posting comments with a <script> Html tag in them can make malicious Javascript code run when users load the comment). Personally I liked that hacking game the most.
- hack this site — some sites built to be hacked.
- Other write ups regarding Facebook bugs. I learned a lot from reading some of these.
If you don’t know Html and Javascript yet (like me about one year ago) you should read a brief introduction here and try to read sites’ code as soon as you can (using chrome dev tools, or other tools your browser has). That’s the best way to learn in my experience (and it’s really not important to remember what every tag means at the start, just use google when in need and in no time you’ll know them all).
