WhatsApp has had serious security flaws throughout its history. One of the most popular was that, just by receiving a missed call, anyone could steal chats and images from our mobile. Now, a new flaw allows anyone’s IP address to be known, exposing them to attacks.
The flaw has been discovered by a user called bhdresh , who has even created a proof of concept in which he demonstrates how the vulnerability works and how it can be used to obtain the IP address of a person just by making a call to through the app.
Anyone can know your IP through WhatsApp
The security flaw works even in the latest version of the app. To do this, you must first establish a script that can read the traffic we generate when making a call or video call in the app. After that, the sender’s application tries to establish a connection with the receiver’s IP address. By filtering the IP address of the recipient’s Facebook and WhatsApp server, it is possible to reveal their IP address without the user knowing.
With this, users can know the public IP addresses to know the approximate location of these users, and thus be able to follow their movements by creating a location history, being able to know, for example, whether or not they are away from home.
To carry out the attack it is necessary, first of all, to have the mobile phone and the computer connected to the same WiFi network . Subsequently, the script that you have published on your GitHub page is executed, and with which the attacker’s computer acts as a router in the eyes of the mobile, so that it collects all the traffic.
After that, all that remains is to call any WhatsApp user. The call has to be established between both parties, and from there we can hang up, since the script will already show the IP address of the recipient.
Facebook says it won’t fix it
The user who discovered this vulnerability reported the bug to Facebook on October 14, 2020 , but the social network said that this operation was as expected and that there was nothing to patch, so they were not going to give a reward. The only advice they gave was to use a VPN if they didn’t want their IP address exposed.
In March 2021, Signal introduced a mechanism to redirect calls through a server to hide the real IP address of the recipient so that this method does not work. Therefore, bhdresh asked Facebook again if they could implement something like this, and they said no, that the current implementation works without problems. Therefore, our IP address is exposed to anyone who calls us, so the only solution is to use a VPN, not take calls from strangers, or even block calls on WhatsApp.
WhatsApp will allow you to recover banned accounts
If you have been using third-party WhatsApp applications or have violated the terms of use of the app in any way, it is likely that you have been banned. Contacting the technical service may not have been fruitful, but luckily WhatsApp will allow us to request a review of our account if it has been banned.
This function will allow, within 24 hours, to recover our account if we have not really breached the conditions of the app. When the account is unlocked, we will receive a notification on the mobile.
