XSS (Cross Site Scripting) In WhatsApp

In Cyber Security Researching every researcher has a fantasy to discover security imperfections and vulnerabilities in top organizations web based applications like Google, Twitter and Facebook and so forth. My condition also relate to something like this, So here how this began.

This is October 24th 2016, The day began with an exceptionally dump state of mind and I am likewise in a strained on the grounds that I have a Mathematics exam in my college, Anyhow I headed off to college given the exam and after all I returned to my lodging and I was extremely drained on the grounds that I was not rest from the most recent night, I simply toss my books one side and set down on my bed without changing my uniform, I begin playing with my mobile and my psyche is out of order, I opened WhatsApp Messenger I got the group invitation link by one of my friend The group was about HTML-5. I erroneously copied that link and what I did now that open that link in external browser, the link stacked successfully and here it is composed of “Click here to join “HTML-5″ group”. Do you know then what’s next, I recollect my time when I was learning XSS (Cross Site Scripting) and HTML Injections. My mind clicks and I made another group with name of  “<h1>Muhaddi</h1>” now I am the admin of that group, As recently I copied the invitation link and open it in browser as I opened the link, I saw that the HTML Code executed and the page is Vulnerable to XSS (Cross Site Scripting) and HTML injections.

Cross Site Scripting (XSS) WhatsApp This was an awesome minute interestingly I encountered it in my life, now I don’t have any care for my rest. Right then and there I offered my prayers. Thanks to ALLAH, I reported them straight forwardly from Facebook Security page and as WhatsApp is the accomplice of Facebook Inc.

After that I additionally executed a portion of alternate payloads and they are executed. The Above web is additionally Vulnerable in mobile.

WhatsApp Mobile XSS

After my Email and reported to them they settled and fixed that Vulnerability in under 30 minutes. One of my companion reported Clickjacking Vulnerabilities to Facebook Inc, they remunerated him a thousand of dollars, yet lamentably they just expressed gratitude toward to me and benefited not give me at all reactions, nonetheless they have to give me abundance however I think they are declined to offering it to me perhaps it was some issue they would prefer not to impart it to me.

Kurt Reply

Anyway, I am not furious over this I felt glad to make a web secure and more secure and that is the thing that I am doing since long time. By utilizing some Social Engineering I can access to their server and can undoubtedly abuse their Web Server and access to the each record of WhatsApp yet I have left Black Hat Hacking very nearly a year prior.

Neal Reply


Vulnerable Link: Http://Chat.WhatsApp.Com

Vulnerability: XSS (Cross Site Scripting) Stored XSS and HTML Injections
Status: Patched
Reward: Just Thanks! (Felt Proud to make an Internet Safer)
User Agent: UC Browser / Chrome / Firefox / Opera / Safari / Android Browser
Security Researcher: Muhammad Muhaddis (Cyber Security Researcher)

Watch this below Proof of Concept video for the clear understanding of flaw that I have founded in WhatsApp Website.

A debt of gratitude is in order for perusing and watching, Stay associated, Catch you in the next post.

, , , , , , , , , , , , , , ,

Leave a Comment

Thanks for downloading!