exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WhatsApp Abuse Issues

WhatsApp Abuse Issues
Posted Jul 24, 2013
Authored by Curesec Research Team

WhatsApp fails to secure communications when spawning functionality for Google Wallet and Paypal. Versions 2.9.6447 through 2.10.751 are affected.

tags | advisory
SHA-256 | 260e26aeec72763f25b273ccb4f424dd4aeffd1b74f89099d65012fdf72375d4

WhatsApp Abuse Issues

Change Mirror Download
Reference:
https://cureblog.de/2013/07/phishing-google-wallet-and-paypal-by-abusing-whatsapp/


Phishing Google Wallet and Paypal by abusing WhatsApp

-=Introduction=-

WhatsApp is one of the most common used tools aka ‘Apps’ on
Smarphone-Devices with access to wireless networks or a so called
Data-’Flatrate’. By using the internet link to communicate, people do
not have to pay any extra fees for sending a text-message somewhere,
even if the receiver is in another country.

WhatsApp is available for almost every architecture on the market. The
program exists for Nokia, Blackberry, Android and iOS. It is available
here: https://www.whatsapp.com. This post will focus on the version for
android.

The app is free for one-year in Android devices. After that time the
user has to buy a yearly license. The application provides 3 methods of
payment:

google wallet
paypal
payment link.

They can be selected via Menu->Settings->Account->Payment Info.

-=Bug=-

Google-wallet and Paypal payments work in the same way. When selecting
it, WhatsApp opens an in-app browser and contacts its main server
www.whatsapp.com with the request:

/payments/google.php?phone=XXXXXXXXXXXX&cksum=<request
checksum>&sku=1&lg=en&lc=US

or

/payments/paypal.php?phone=XXXXXXXXXXXX&cksum=<request
checksum>&sku=1&lg=en&lc=US

Responding to this request the browser gets redirected to the proper
checkout service.
The payment link option seems to be currently not working, i.e., nothing
happens.

-=Attacks=-

Even tough the communication with the payment systems is HTTPS secured,
the initial contact with the main server www.whatsapp.com is NOT, as we
can see in Wireshark logs:

GET
/payments/google.php?phone=xxxxxxxxxxxxx&cksum=<checksum>&sku=1&lg=en&lc=US
HTTP/1.1
Host: www.whatsapp.com
Accept-Encoding: gzip
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.7)
Cookie: __utmmobile=0xxxxxxxxxxxxxxxxxxxx
Accept:application/xml,application/xhtml+xml,text/html;
q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

After Whatsapp sent this unencrypted request, it will receive the
following answer.

HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.7
Content-type: text/html
Transfer-Encoding: chunked
Date: Mon, 10 May 2013 05:34:36 GMT
Server: lighttpd/1.4.31
5e4

<html>
<head>
<meta name="HandheldFriendly" content="true"/>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>WhatsApp Messenger payment</title>
</head>
<body onLoad="document.getElementById('google').submit()">
<p>Please wait...</p>
<form id="google" method="POST" action="https://checkout.google.com
api/checkout/v2/checkoutForm/Merchant/xxxxxxxxxxxxxx"
accept-charset="utf-8">
<input type="hidden" name="shopping-cart.items.item-1.item-name"
value="One year of WhatsApp service for phone XXXXXXXXXXXXXXX"/>
<input type="hidden" name="shopping-cart.items.item-1.item-description"
value="WhatsApp Messenger"/>
<input type="hidden" name="shopping-cart.items.item-1.merchant-item-id"
value="1"/>
<input type="hidden"
name="shopping-cart.items.item-1.merchant-private-item-data"
value="XXXXXXXXXXXXXXX"/>
<input type="hidden" name="shopping-cart.items.item-1.unit-price"
value="0.99"/>
<input type="hidden"
name="shopping-cart.items.item-1.unit-price.currency" value="USD"/>
<input type="hidden" name="shopping-cart.items.item-1.quantity" value="1"/>
<input type="hidden"
name="shopping-cart.items.item-1.digital-content.display-disposition"
value="OPTIMISTIC"/>
<input type="hidden"
name="shopping-cart.items.item-1.digital-content.email-delivery"
value="true"/>
<input type="hidden"
name="checkout-flow-support.merchant-checkout-flow-support.continue-shopping-url"
value="http://www.whatsapp.com/payments/success.php"/>
<input type="hidden" name="_charset_" />
</form>
</body>
</html>
0

This means an attacker could intercept the first request via a suitable
man-in-the-middle attack and successfully redirect the user to any
Webpage when the user is trying to buy Whatsapp credit. To gain
useraccounts the attacker could setup a fake Google-Wallet or Paypal
Systems page to harvest user accounts. It might even be possible to
gather directly money through this, for instance let the user pay the
0,99 cents via Google Wallet or Paypal to the account of the attacker.

Besides an attacker could forward some other content like a webpage with
a new apk necessary for using google-wallet or paypal, like the
(in)-famous Zitmo Trojan did at visiting a Bankingsite and spending
users some extra “Security”-Features.

-=Practical abuse of the bug=-

As buying the credit only happens one time per year the attack itself is
quite uncommon to be practical for a huge misuse as the attacker needs
to be in control of the wireless or gsm network to intercept and
redirect the traffic.

-=Affected Versions=-

2.9.6447 to 2.10.751 (latest as of 2013 July 2)



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close