Recently I came across a phishing page that simulated Whatsapp Web login workflow. It was really a clear clone – the QR code changed every 20 seconds and if I were in China I would have definitely needed to look at the URL carefully.
What is Whatsapp Web?
WhatsApp Web is essentially a web-based interface of the WhatsApp application on your phone. It allows you to use WhatsApp from your web browser by scanning a QR code from your mobile app to establish a secure connection. The web interface mirrors the chats from your mobile device, enabling you to send and receive messages, share media files, and even use voice and video calls via the browser.
The technology behind it is a real-time, full-duplex WebSocket connection, often upgraded to a secure WebSocket (WSS) after initial authentication. This setup allows for quick and secure message syncing between the mobile device and the web interface.
Whatsapp Web Authentication Process
Before we understand the authentication mechanism, we must understand the components involved.
- Client-Side Application: The WhatsApp application running on your mobile device.
- Server-Side Application: The backend that manages WhatsApp Web and coordinates with the client-side application.
- Web Interface: The browser interface you interact with (web.whatsapp.com).
- WebSocket Creation: As soon as we visit web.whatsapp.com, a WebSocket connection is established between your browser and the WhatsApp Web server.
- Key Pair Generation: On the server-side, a public-private key pair is generated. The public key is used for verification, but the private key is securely stored on the server.
- QR Code Generation: The server generates a unique QR code containing a session identifier, encrypts it, and sends it along with the public key to the web interface, where it is displayed for us to scan.
- QR Code Scanning: When we scan the QR code with the WhatsApp mobile app, the session identifier and public key are decoded by the mobile app.
- Mobile Device Verification: The mobile app uses the public key to encrypt a piece of data, typically a cryptographic nonce or another session identifier, and sends it back to the server for verification.
- Server Verification: The server uses its private key to decrypt the received data. If it matches the original data, the server considers the session authenticated.
- Token Generation and Storage: Upon successful authentication, a secure token is generated and stored both on the server and the client side. This token is then used for subsequent authenticated interactions between the server and the client which is our browser.
How the Phishing Attack works
- Phishing Server: The attacker sets up a phishing server. This server hosts a cloned web page resembling the WhatsApp Web interface.
- Fake QR Code Generation: Instead of sending a legitimate “WebSocket & Encrypted QR Code + Public Key,” the phishing server generates a static QR code tied to the attacker’s unauthorized client.
- QR Code Scanning: The victim scans this QR code with their mobile device. Unlike in the genuine process where this would “Scan QR Code & Receive Public Key,” here it sends session data to the attacker’s client.
- Session Hijacking: The attacker’s client receives the “Encrypted Verification Data” from the victim’s mobile device and establishes a new session by mimicking the “Decrypt, Verify & Send Back Confirmation” process, thereby hijacking the WhatsApp session.
- Data Harvesting: With the session established, the attacker can perform actions similar to “WSS: End-to-End Encrypted Data Transfer,” but in this case, it’s unauthorized data harvesting from the victim’s WhatsApp account.
- Optional: Additional Phishing Fields: The attacker may include extra form fields on the phishing page to collect more data, simulating an “extra verification” process.
- Data Storage: All harvested data, resembling the “WSS: End-to-End Encrypted Data Transfer,” gets stored on the attacker’s phishing server instead of being securely encrypted and stored.
No matter how hard we try, attackers will always find novel ways to trick users. Just like any other phishing campaign, this one also relies on using compromised servers or websites to serve phishing pages. That is why user education is the best weapon against phishing attacks. I took my time to share this with you so that you can make your near and dear ones aware of this upcoming scam.
Thanks for reading!