whatsapp-phishing : principle code for running an phishing attack against Whatsapp Web client.

whatsapp-phishing : principle code for running an phishing attack against Whatsapp Web client.

What does it do:
It will extract the QR code from Whatsapp Web and display it on a new page. If someone scans the code using Whatsapp it will grab the credentials from the web client and save them in a file. You can use these credentials to log yourself in as the person who scanned to QR code. It’s theoreticaly possible to use this for a phishing attack.

How does it work:
The program uses node.js and socket.io for the website and selenium, a tool for scripting browsers, to communicate with the Whatsapp web client.
The program starts a http and a socket.io server. If a new client connects to socket.io the application will make a request to a selenium instance to start a new browser and connect to web.whatsapp.com. It will fetch the QR code data and send it to the client via the websocket connection. The client javascript then shows the QR code to the user.
If the QR code gets scanned Whatsapp will authenticate the selenium controlled browser and store some tokens in the localStorage and document.cookie. We extract that data and save it into a text file. It will look like so:

You can than import these tokens into your browser and log in as the person who scanned the QR code.

1. Download the selenium standalone server  jar file and install Firefox if you don’t have it already.
2. Type the following into your terminal

3. Open your browser and go to http://localhost:8080
4. Start Whatsapp on your smartphone, go to Menu > Whatsapp Web and scan the QR code from your browser.
5. Copy the content from the newly created secrets file
6. Open web.whatsapp.com. (Watch out that you are not alredy logged in, maybe use incognito mode)
7. Open your developer console
8. Enter the following code:

9. Reload the page
10. You should be logged in as the person who scanned the QR code


Whatsapp messages are meant to be private. Just because the NSA reads everything it doesn’t mean you should do as well! Everything in this repo is for education purpose only and Developer and Seclist Team not responsible if you use it otherwise.

Download : Whatsapp-Phishing.zip  | Clone Url
Source : http://blog.mawalabs.de/whatsapp-phishing/